Coordinating the Disclosure of Security Vulnerabilities in Canada

See Something, Say Something Coordinating the Disclosure of Security Vulnerabilities in Canada

June 2021 Yuan Stevens | Stephanie Tran | Ryan Atkinson | Sam Andrey Cybersecure Policy Exchange The Cybersecure Policy Exchange (CPX) is an initiative dedicated to advancing effective and innovative public policy in cybersecurity and digital privacy, powered by RBC through Rogers Cybersecure Catalyst and the Ryerson Leadership Lab. Our goal is to broaden and deepen the debate and discussion of cybersecurity and digital privacy policy in Canada, and to create and advance innovative policy responses, from idea generation to implementation. This initiative is sponsored by the Royal Bank of Canada; we are committed to publishing independent and objective findings and ensuring transparency by declaring the sponsors of our work.

Rogers Cybersecure Catalyst Rogers Cybersecure Catalyst is Ryerson University’s national centre for innovation and collaboration in cybersecurity. The Catalyst works closely with the private and public sectors and academic institutions to help Canadians and Canadian businesses tackle the challenges and seize the opportunities of cybersecurity. Based in Brampton, the Catalyst delivers training; commercial acceleration programming; support for applied R&D; and public education and policy development, all in cybersecurity.

Ryerson Leadership Lab The Ryerson Leadership Lab is an action-oriented think tank at Ryerson University dedicated to developing new leaders and solutions to today’s most pressing civic challenges. Through public policy activation and leadership development, the Leadership Lab’s mission is to build a new generation of skilled and adaptive leaders committed to a more trustworthy, inclusive society.

This project is sponsored by the Department of National Defence’s Mobilizing Insights in Defence and Security program. How to Cite this Report Stevens, Y., Tran, S., Atkinson, R., Andrey, S. (2021, June). See Something, Say Something: Coordinating the Disclosure of Security Vulnerabilities in Canada. Retrieved from https://www.cybersecurepolicy.ca/vulnerability-disclosure.

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. You are free to share, copy and redistribute this material provided you: give appropriate credit; do not use the material for commercial purposes; do not apply legal terms or technological measures that legally restrict others from doing anything the license permits; and if you remix, transform, or build upon the material, you must distribute your contributions under the same licence, indicate if changes were made, and not suggest the licensor endorses you or your use.

Contributors Sam Andrey, Director of Policy & Research, Ryerson Leadership Lab Ryan Atkinson, Policy Consultant, Cybersecure Policy Exchange Karim Bardeesy, Executive Director, Ryerson Leadership Lab Sumit Bhatia, Director of Innovation and Policy, Rogers Cybersecure Catalyst Zaynab Choudhry, Design Lead Charles Finlay, Executive Director, Rogers Cybersecure Catalyst Braelyn Guppy, Marketing and Communications Lead, Ryerson Leadership Lab Sharan Khela, Research and Policy Intern, Cybersecure Policy Exchange Mohammed (Joe) Masoodi, Policy Analyst, Cybersecure Policy Exchange Stephanie Tran, Research and Policy Assistant, Cybersecure Policy Exchange Yuan Stevens, Policy Lead, Cybersecure Policy Exchange

Our work is guided by these core principles: • Responsible technology governance is a key to Canadians’ cybersecurity and digital privacy. • Complex technology challenges call for original insights and innovative policy solutions. • Canadians’ opinions matter, and must inform every discussion of technology policy. • Cybersecurity needs to be explained and made relevant to Canadians, and cannot be relegated to language and concepts accessible only to experts. • Canadian institutions matter, and must evolve to meet new cybersecurity and digital privacy risks to maintain the public trust. • Harms, inequities and injustices arising from the unequal use or application of technology must be confronted, wherever they exist or could arise.

For more information, visit: https://www.cybersecurepolicy.ca/ @cyberpolicyx @cyberpolicyx Cybersecure Policy Exchange Executive Summary

Ill-intentioned actors are rapidly developing the harm. Absent this framework, discovering technological means to exploit vulnerabilities and disclosing vulnerabilities may result in in the web assets, software, hardware, and a security researcher facing liability under networked infrastructure of governments the Criminal Code, as well as potentially the around the world. Numerous jurisdictions have Copyright Act, if exemptions do not apply. adopted the policy approach of facilitating Whistleblower legislation in Canada generally coordinated vulnerability disclosure (CVD) as would also not apply to vulnerability disclosure one means to better secure the public sector’s except in very limited, specific instances. systems, through which external security researchers are provided a predictable and Further, Canada’s Centre for Cyber Security cooperative process to disclose security flaws — and its parent agency the Communications for patching before they are exploited. Canada Security Establishment — currently have is falling behind its peers and allies in adopting practices and policies that may discourage such an approach. people from disclosing vulnerabilities and, on top of this, are also opaque about how such A global scan of vulnerability disclosure policy vulnerabilities are handled. approaches indicates that 60 percent of G20 member countries provide distinct and The cumulative effect of this approach in clear disclosure processes for vulnerabilities Canada means that there is no straightforward involving government systems, with many or transparent path for a person wishing to providing clarity regarding the disclosure responsibly disclose a security vulnerability process and expectations for security found in the computer systems used by the researchers regarding communication and Government of Canada — resulting in possible acceptable activity. The Netherlands and non-disclosure, public disclosure before the US are particularly leading the way remediation, or otherwise enabling the use of when it comes to providing comprehensive security vulnerabilities by attackers in ways policy and pragmatic solutions for external that could jeopardize the security of Canada’s vulnerability disclosure, acting as a learning computer systems and the people that they model for Canada. Both countries have also serve. begun to provide explicit legal clarification regarding acceptable security research activity, particularly in the context of coordinated vulnerability disclosure.

In Canada, there exists no legal or policy framework regarding security research and vulnerability disclosure done in good faith; that is, done with the intent and in such a way to repair the vulnerability while causing minimal

See Something, Say Something: Coordinating the Disclosure of Security Vulnerabilities in Canada 4 In light of these findings, we advocate for the following three policy solutions in Canada to remedy these gaps:

1. Canada needs a policy framework for good faith vulnerability discovery and disclosure;

2. Canada should carefully implement coordinated vulnerability disclosure procedures for the federal government’s computer systems, and draw on emerging best practices as it does so; and

3. Vulnerabilities disclosed to the government from external actors should be kept separate from the government’s handling of vulnerabilities uncovered internally in the course of Canada’s defensive and offensive intelligence efforts.

See Something, Say Something: Coordinating the Disclosure of Security Vulnerabilities in Canada 5 INTRODUCTION The Need for Coordinated Vulnerability Disclosure

01 The Need for Coordinated corporate intellectual property rights, human Vulnerability Disclosure rights such as freedom of expression, and the motivation and impact of security research and 9 In 2008, the Dutch court faced a difficult hacking activity. decision. Academic researchers at Radboud University decided to examine the security of The court rendered its decision in July 2008. a smart card, which was being rolled out on a In short, the court rejected NXP’s request to mass scale for use across the country’s transit suppress the information largely on the basis 10 system.1 The contactless card reader used the of copyright law and freedom of expression. It MIFARE Classic chip by Dutch manufacturer held that the chip’s algorithm, a mathematical NXP. The chip was already in use for major formula, was not a copyrighted work and had transit systems, including London,2 Hong Kong never been made public. The court also found and Boston,3 and for government buildings that the researchers lacked the element of in the Netherlands and elsewhere.4 In their intention needed for criminal liability, given work, the security researchers discovered that that their work “sought only to raise the issue the chip’s encryption algorithm was using a of social wrongdoing and promote scientific 11 random number generator to protect the card’s research on encryption.” memory that was not, in fact, random at all.5 The result was that the research team was More than this, the court concluded that able to access the chip’s encryption protocol, the risk of misuse of the chip emanated not enabling them to use cloned smartcards for from the researchers’ activity, but due to the limitless transit trips and unauthorized entry into chip design itself. NXP had also provided an government buildings. assessment of harm that was far too general and oversimplified to justify the limitations The researchers informed NXP, the Dutch they sought on the researchers’ freedom Ministry of the Interior, and the Dutch transit of expression. In the end, a student at the agency not long after discovering the flaw in centre of the Radboud research project won early March 2008, in hopes that the security numerous awards for his contributions to 12 flaw could be patched.6 The researchers sought the field of security, the professors involved to give the government and NXP at least six continued their illustrious careers, and NXP months to remediate the issue before releasing continued to release improved smartcard chips the results of their research at an academic in which security researchers invariably found conference in October 2008.7 The six-month vulnerabilities. embargo was not an issue for the Dutch intelligence and security agency, which saw The case is significant for the way it has the timing as reasonable and beneficial for the shaped policy discourse and solutions in government.8 But in June that year, NXP sought the Netherlands regarding coordinated a restraining order against the researchers, vulnerability disclosure (CVD), a policy hoping to prevent them from publishing their approach that provides external security research in October. The judge carefully researchers a predictable and cooperative weighed the interests at stake when security process to disclose security flaws for patching 13 researchers disclose vulnerabilities — including before they are exploited. Since 2008, security

See Something, Say Something: Coordinating the Disclosure of Security Vulnerabilities in Canada 7 researchers in the Netherlands have been able responses to cyberattacks20 and the to rely on this legal decision to support the vulnerabilities that can enable them.21 claim that disclosing vulnerabilities responsibly and in a coordinated fashion is indeed possible On top of this, approximately 28% of and is, in fact, often desirable in pursuit of organizations have reported an increase in better ensuring the security of the government’s cyberattacks, insider threats or data breaches computer systems and critical infrastructure. since the COVID-19 pandemic began.22 Another report found that the average cost of After numerous other significant hacks of data breaches in Canada has risen 7% since government systems, the Dutch government 2019,23 while the average ransom demand released two documents in 2013 that explained increased by 33% since Q4 2019.24 Internet- how coordinated vulnerability disclosure should connected (Internet of Things or IoT) devices be treated by organizations, prosecutors in the procured by federal governments warrant Netherlands, and the Dutch National Cyber particular attention when it comes to security Security Centre, both of which are described in considerations, given their interconnected detail below. nature and the supply chain risks that insecure devices pose to the government.25 The 2020 The case also illustrates the need for National Cyber Threat Assessment issued governments to consider facilitating disclosure by the Canadian Centre for Cyber Security of vulnerabilities found in their systems (of vital found that the targeting of critical infrastructure importance) as one solution among many in industrial control systems will very likely the pursuit of more secure infrastructure. This increase in the next two years, as attackers is because software and hardware will always attempt to place increased pressure to contain latent vulnerabilities that have the promptly accede to ransom demands.26 potential to be exploited,14 regardless of how much testing is done prior to deployment.15 Governments, organizations, and individuals all benefit when security researchers are Cyberattacks on critical infrastructure are encouraged and enabled to disclose also now the norm16 and come at alarming vulnerabilities in “good faith”27 — a term used costs. Indeed, cyberattacks are significantly throughout this report referring to vulnerability disrupting digital infrastructure and operations disclosure done with the intent and in such a in Canada at an increasing rate, with annual way to repair the vulnerability while causing economic losses estimated at more than $3 minimal harm. Good faith need not be the only billion.17 A recent report estimated that Canada way to understand such activity; disclosure experienced more than 4,000 ransomware may also be done in the public interest incidents in 2020 — with costs to organizations and, for those who prefer such terminology, exceeding $1 billion.18 Statistics Canada also may constitute “ethical hacking.”28 In any found that more than one-fifth of Canadian case, providing responsible and predictable businesses reported being impacted by vulnerability disclosure procedures in turn cybersecurity incidents in 2019.19 Indeed, the allows researchers to responsibly disclosure rapidness of technological development has vulnerabilities for remediation before malicious resulted in calls for internationally coordinated attackers exploit such weaknesses.

See Something, Say Something: Coordinating the Disclosure of Security Vulnerabilities in Canada 8 Coordinated Vulnerability Disclosure as Global Intent of Report Best Practice

This report seeks to help the Facilitating coordinated vulnerability disclosure Government of Canada adapt to is becoming a policy standard and best meet the challenges posed by digital practice for organizations and governments transformation, and the security threats around the globe.29 Beyond the Netherlands, that come with rapid technological the US30 and the UK,31 as well as the EU,32 development and deployment. While are among the jurisdictions that have begun far from providing exhaustive solutions, providing legal clarification and procedures this report begins to identify both policy for facilitating coordinated vulnerability gaps and pragmatic solutions that disclosure as one means to better secure the can harness the skillset of security public sector’s systems. However, the topic researchers and professionals who remains understudied and underutilized in the find and responsibly disclose security Canadian context, leaving Canada’s federal flaws in government websites, institutions potentially more vulnerable in the software, hardware, IoT devices, and face of threat actors.33 critical infrastructure before attackers do. To this end, we engaged in a review of interdisciplinary academic literature, government policies and procedure, as well as legislation, to provide a scan of current CVD approaches in Canada and around the globe, with a particular focus on countries that are members of the G20 and a few select countries elsewhere with noteworthy policy developments that add to the diversity of countries analyzed (see Appendix A). Limiting this report’s scope of analysis to focus primarily on the CVD policy approaches of G20 members was logical given the group’s emphasis since at least 2017 on reducing vulnerabilities in internet infrastructure, as well as implementing norms regarding cyberattacks,34 an emphasis which has been of heightened importance during the COVID-19 pandemic.35

This report also draws on two workshops held in early 2021, which brought together computer security experts hailing from industry,

See Something, Say Something: Coordinating the Disclosure 9 of Security Vulnerabilities in Canada government, academia, civil society, and The Global State of Coordinated computer security incident response teams Vulnerability Disclosure Processes who offered expertise on the benefits, risks, and best practices for CVD frameworks that could Governments around the globe have begun be implemented in the Canadian context (see providing vulnerability disclosure procedures list of participants in Appendix B, whose names for their digital systems. The full result of our are listed with permission). The workshops jurisdictional scan is included in Appendix A, were held under the Chatham House Rule, in which provides information for all G20 member order to facilitate productive dialogue on such countries, including Spain as a permanent non- a critical public policy topic without the need to member invitee of the G20; and New Zealand, represent certain organizations’ interests. which we included due to its membership in the Five Eyes intelligence alliance; as well While this project received financial support as Latvia, the Netherlands and Singapore, from the Department of National Defence’s whose policy approaches we particularly Mobilizing Insights in Defence and Security gained knowledge about through the expert program, this report’s findings have workshops we held in early 2021. implications for the security of computer systems across all government bodies We used a modified version of the standards — not only at the federal level, but also at enumerated by Woszczynski et al.36 to assess the provincial and municipal levels — and the number of G20 member countries that meet additionally implicates the systems provided by best practices for coordinated vulnerability third-party software and hardware vendors for disclosure, which Canada does not government use. (see Figure 1).

Figure 1: G20 member countries that meet best practices for CVD, which Canada does not

See Something, Say Something: Coordinating the Disclosure of Security Vulnerabilities in Canada 10 This report demonstrates that Canada that exist in software and hardware systems. appears to be falling behind several of its This is because vulnerabilities can (and should) global peers and allies when it comes to be discovered and remediated internally using providing a policy framework for good faith various mechanisms through the product security vulnerability discovery and disclosure development process or after the product in respect of government computer systems. has been released.37 Vulnerabilities may also Various federal laws, as described below, may be disclosed to the public, which may occur have a chilling effect on good faith vulnerability particularly when no vulnerability disclosure discovery and disclosure in Canada. Despite process exists and is often done in hopes that Canada having a fairly robust system in place the entity that owns or manages the software for handling “cyber security events” known will quickly remediate the flaw.38 to the public, Canada’s Centre for Cyber Security (CCCS) and its parent agency the As we describe in the following section, Communications Security Establishment (CSE) coordinated vulnerability disclosure therefore currently have vulnerability handling practices specifically addresses the “wicked” problems of and procedures generally marked by under- external vulnerability discovery and disclosure inclusion and opacity. — for which there are no right or perfect solutions, only better or worse solutions in a These organizational practices by the given context.39 Indeed, facilitating coordinated CCCS and CSE — in tandem with a lack of vulnerability disclosure may bring with it the an adequate policy framework in Canada risk of perpetuating organizational reliance that draws on best practices regarding on systems marked by insecurity,40 rather CVD — operate to dissuade good faith than expecting more secure systems up front. security researchers from discovering or Enabling the good faith external disclosure of disclosing vulnerabilities that affect the vulnerabilities is nonetheless one way to reduce federal government’s systems. Canada’s the harm associated with the now routine current approach to security research activity, exploitation of security flaws and serves as one or otherwise enable the use of security method among many that Canada could use in vulnerabilities by attackers in ways (for the process of ensuring the improved security example, including but not limited to, selling of the federal government’s digital systems. information on illicit markets) that could jeopardize the security of Canada’s computer systems and the people that they serve. It is important to recognize that facilitating coordinated external vulnerability disclosure is just one aspect of an organization’s (including the government’s) security posture and maturity when it comes to addressing the vulnerabilities

See Something, Say Something: Coordinating the Disclosure of Security Vulnerabilities in Canada 11 Defining Coordinated Vulnerability Disclosure

02 Defining Coordinated Malicious actors can develop software or Vulnerability Disclosure code to exploit these vulnerabilities, using these weaknesses to “steal and extort money It is important to understand how vulnerability and data, disrupt processes, or spy on 48 disclosure works in order to provide effective organisations and individuals.” However, policy solutions in respect of this topic. In organizations can consent to having their code sum, security vulnerabilities in the context or systems exploited in order to test the current status of their security measures and system of computing are a set of conditions or configurations through network ‘penetration’ behaviours that allow for the violation of an explicit or implicit security policy.41 In other testing or ‘red-team’ work that mimics the 49 words, vulnerabilities are weaknesses that can activity of an organization’s threat actors. be exploited, allowing attackers to perform unauthorized and/or undesirable actions. Vulnerability discovery and disclosure can The weakness can be found in hardware or take many forms. As mentioned, vulnerability software code, “in an information system, discovery and disclosure occur internally in system security procedures, internal controls, or the development process. Vulnerabilities can implementation.”42 also be discovered externally from an entity not responsible for maintaining the code or system. This report focuses specifically on Security researchers can intentionally set out to vulnerabilities found in computer code and test systems for vulnerabilities or may stumble upon them in the course of their work or spare systems. Code vulnerabilities involve the written code embedded in a product’s software time. Someone who discovers a vulnerability, and/or firmware components embedded in but takes no action, withholds that information; hardware.43 All computer code contains latent this is an instance of non-disclosure. For or undiscovered vulnerabilities. A vulnerability decades, security researchers have routinely is often described as a “zero day” vulnerability disclosed vulnerability information to the public as soon as it’s first been discovered, but before in order to push software vendors to improve a mitigation becomes available.44 Sometimes their security, which can problematically enable a vulnerability will always remain, but often the attackers to use this information before the 50 risk can be eliminated or reduced. vulnerability has been patched or remediated. They can also sell the information on or System vulnerabilities involve the a potentially illicit market directly to 51 implementation or configuration of an governments (often called the “grey market”). information system, with a major source of vulnerabilities in this context involving the In many ways, coordinated vulnerability maintenance of up-to-date software or system disclosure stands in contrast to these configurations.45 The Equifax incident, involving vulnerability disclosure methods. It involves 19,000 Canadians,46 is an excellent example researchers contacting systems providers of a company’s failure to patch vulnerable in order for the vulnerability to be patched systems, leading to a massive security breach.47 before the public learns about the vulnerability, and to reduce the risk of it being exploited.52 Coordinated vulnerability disclosure is not an

See Something, Say Something: Coordinating the Disclosure of Security Vulnerabilities in Canada 13 event, but an ongoing process for reducing There are various roles in coordinated the risk associated with the existence of vulnerability procedures.57 There are the finder/ vulnerabilities that have been discovered, but discoverers, the reporter (which may overlap not yet remediated or patched.53 The principles with the finder),system providers (software of CVD include: or hardware vendors, including institutions • Reducing harm;54 that develop products for their own use), the deployer (which must deploy a patch or take • Presuming benevolence;55 remediation action, and which may overlap • Avoiding surprise; with the system provider), and the coordinator • Incentivizing desired behaviour; that facilitates coordinated responses. Other stakeholders in the CVD process include • Process improvement; and users, integrators, cloud and application • Addressing the “wicked problem” of service providers, IoT and mobile vendors, and vulnerability disclosure, which is a governments.58 multifaceted problem for which there are no “right” answers, only “better” or “worse” solutions in a given context.56

Phases of Vulnerability Disclosure 2. Reporting 3. Validation and triage

1. Discovery

4. The development and testing of a remedy or solution (a patch or other mechanisms) 6. Making the public aware of the vulnerability and its remediation, either before, during or after deployment.59

5. Deployment (applying the solution)

See Something, Say Something: Coordinating the Disclosure of Security Vulnerabilities in Canada 14 There is the possibility for significant variation As mentioned, there are invariably some risks in the coordinated vulnerability disclosure associated with the implementation of CVD process.60 There can be variation in the procedures, and the possibility for things to go elements of the disclosure policy, coordination wrong. Risks associated with the facilitation of across multiple parties (e.g., the system CVD include the following: providers, vulnerability finders or discoverers, vendors, supply chains or service providers • There is no contact information available for affected, etc.). There also can be variation system providers; in the pacing and synchronization of CVD • Disclosers can stop responding; frameworks. The coordination aspects of CVD can specifically vary in terms of: • Information can be leaked; • People may discover vulnerabilities and not • Requirements to disclose to the software necessarily disclose it; and hardware vendors, or to the • A vulnerability discoverer may actively organizations deploying their services; exploit the vulnerability; • Whether the CVD procedure is deployed • Relationships can go awry; and through legal regulation, organizational • Vulnerability disclosure policies or policies, guidelines, or performance procedures may exist for hype, marketing, indicators; or to limit the unwanted attention that • Whether the CVD procedure is run in- comes from full or partial public disclosure house by an organization or whether they of vulnerabilities.62 outsource that to a third party; and • Whether people are credited, recognized, or If a CVD procedure exists but is inadequate, it remunerated for submissions deemed valid may be counterproductive. Organizations that or worthy of remediating.61 set their program scope too wide, or that have less mature security practices, may struggle to handle external vulnerability reports, in turn fostering frustration among finders who expect clear communication and quick resolution from the organization.63 Disclosers may also turn to full disclosure if organizational response or patching takes too long.64

See Something, Say Something: Coordinating the Disclosure of Security Vulnerabilities in Canada 15 However, there are numerous benefits • Enabling vulnerability disclosure can also associated with the implementation of build goodwill and trust with security CVD procedures and policies. It is worth researchers.71 remembering that software and hardware • Clearly written CVD procedures can provide will always contain flaws, whether obvious or clear expectations for disclosers, thereby 65 latent in nature. Facilitating CVD includes the preventing situations where disclosers following benefits, among others: demand remuneration or recognition for their disclosure.72 • Facilitating coordinated vulnerability • CVD procedures can provide clarity disclosure can enable good faith security regarding who is responsible for receiving research and the disclosure of flaws found security flaws in the case of governments 66 on an organization’s systems. using third-party software and hardware • CVD procedures facilitate the disclosure service providers. of vulnerabilities that could otherwise • Vulnerability disclosure pipelines provide have been discovered and exploited by clearer and more transparent vulnerability 67 attackers. report triage processes. • In general, external security researchers can find things thatinternal security teams do From the vantage point of the Canadian not discover in the software development government, perhaps the most significant process68 because they are often “exposed benefit of implementing CVD procedures is that to a wider variety of programs and doing so can result in patched vulnerabilities; vulnerabilities through the different types of and better ensure that the vulnerability will not employments, exercises, and communities be used for offensive or exploitative purposes they are involved in and the more diverse in ways that harm the government’s systems, bug reports they read,” providing them infrastructure, and the people that they serve. with an important advantage over internal security testers.69 • CVD can help to provide some legal clarification for good faith security researchers, who can avoid legal liability by adhering to the CVD procedures, and otherwise may face significant legal repercussions for their activity.70

See Something, Say Something: Coordinating the Disclosure of Security Vulnerabilities in Canada 16 POLICY CASE STUDIES: The Netherlands and the U.S.

03 The Netherlands The NCSC was established in 2002.75 It is and the U.S. the government organization charged with ensuring the security of computer systems and 76 In the course of conducting analyses on CVD infrastructure in the Netherlands. The NCSC policies around the globe, certain aspects sits within the Ministry of Justice and Security, of the policy developments in two countries which has the mandate to protect the freedom particularly stood out as worth emulating in and safety of people in the Netherlands 77 Canada: the Netherlands and the US. These through its policies and regulations. countries’ approaches are distinct for the way they implemented vulnerability procedures The NCSC states that it is a best practice — but involving the federal government relatively not legally required — for public and private early on (in the 2010s) and have provided organizations to implement their own CVD 78 clarification regarding the legal treatment of procedures. This stands in contrast to the vulnerability disclosure through various policy US approach described in the next section, instruments. where all federal agencies are now required to facilitate CVD through vulnerability disclosure The Netherlands: The NCSC, policies. Guidelines, and Legal Protection for Public Interest Security The NCSC’s CVD procedure outlined in its Research guideline is succinct yet informative, and not without its own gaps. People who discover a vulnerability in a government system or “a The Netherlands’ approach to coordinated system with a vital function” are instructed to vulnerability disclosure encourages, but first approach the “owner” or “manager” of does not require, organizations to have CVD the system.79 This is because organizations procedures. It can be seen as providing legal that manage, own or supply systems are protection, to some extent and in light of expected to handle the vulnerability disclosure certain considerations, for security research process that directly concerns them.80 The activity (including vulnerability discovery and NCSC encourages organizations to have their disclosure) that occurs in the public interest. own CVD policies, and it provides resources In the Dutch context, the federal government’s to these organizations, including templates computer incident response team — the for such policies. However, one noteworthy National Cybersecurity Centre (NCSC) — downside to the Dutch approach to CVD is that acts as a model to other organizations in its guidelines do not clarify what is required for the Netherlands for best practices regarding disclosure affecting multiple parties, such as the handling of vulnerability disclosure as software vendors and the government. stipulated in its guidelines on CVD.73 The NCSC provides publicly available and detailed In any case, the NCSC acts as an intermediary guidelines for stakeholders in the coordinated between the discloser and organizations that vulnerability disclosure process.74 fail to respond or do not respond appropriately. The NCSC also provides a CVD report form and email contact information, as well as the

See Something, Say Something: Coordinating the Disclosure of Security Vulnerabilities in Canada 18 NCSC’s PGP key, to better ensure the safety of who disclose, dependent on the severity of the the information sent to the NCSC.81 Disclosers vulnerability and quality of the report, ranging are instructed to submit the report as soon as from a T-shirt or gift voucher to a maximum of possible after discovering the vulnerability. €300. They are also encouraged to avoid sharing the vulnerability information until they have heard In its own CVD procedure, the NCSC states from the NCSC or until it has been resolved. that it will have “no reason to take legal action” Disclosers are not to take any action other than as a result of a vulnerability report, so long as that which is needed to demonstrate that the it’s been submitted in accordance with the problem exists. requirements laid out.84 Prosecutors and police in the Netherlands will take into consideration The NCSC also performs the important role whether a CVD policy exists, and whether of delineating the responsibilities of security the security researcher adhered to it, when researchers. It requires that researchers avoid deciding to investigate or lay charges.85 the following actions in the course of their testing activity: The Dutch approach to CVD is also significant • Installing malware; for the way it requires analysis, prior to prosecution, of whether the security research • Copying, changing or deleting data in a activity was done in the public interest, system (an alternative is creating a directory potentially providing some legal protection listing of a system); to disclosers in the context of coordinated • Making changes to the system; vulnerability disclosure. A policy letter on CVD • Repeatedly gaining access to the system or from the Dutch public prosecutor updated in sharing access with others; December 2020 provides legal clarification that other jurisdictions may wish to learn from. At • Using brute force to gain access to a the outset, the letter seeks to “stimulate CVD” system; and and encourage third parties to prevent careless • Using social engineering, or denial of or malicious behaviour on the internet.86 The 82 service attacks or testing. letter states that when an “ethical hacker” finds a vulnerability in an IT system and reports it to The NCSC’s policy also provides their own the relevant organization in a certain fashion, 83 promises to the security researcher. The then “in principle, no criminal investigation NCSC will not share the personal details of the is instituted,” as such behaviour constitutes discloser to third parties without the discloser’s coordinated vulnerability disclosure.87 consent, unless obligated to do so by law. The NCSC provides detailed information The organization and discloser may, in the about response times post-report submission, context of CVD, agree that no criminal report including a promise to try to resolve the security will be filed and/or that no civil action will be issue within 60 days. They also commit to taken.88 deciding along with the discloser whether and how details of the vulnerability will be published. It also provides rewards for those

See Something, Say Something: Coordinating the Disclosure of Security Vulnerabilities in Canada 19 In the Netherlands, prosecutors (and not the using the password “MAGA2020!” for his police) lay criminal charges. When assessing if Twitter account.90 Gevers had been conducting they are dealing with coordinated vulnerability semi-regular testing regarding the security disclosure, prosecutors must assess these three of Twitter accounts for high-profile US factors to determine whether the activity was election candidates when he discovered done in the public interest: that the president used this relatively easy- to-guess password. He did not change any • Motives: Was the action taken in the context of the account’s settings, nor did he post of a substantial social interest? any tweets from the account. He attempted to notify Trump’s campaign team about • Proportionality: Was the act proportionate this security error, informing them that other (did the person not go beyond what was safeguards were lacking, including two-factor necessary) to achieve the goal? authentication, before going to the press. After • The principle of subsidiarity: Was disclosure investigating the situation, the Dutch public made to the appropriate entity (did they prosecutor concluded that Gevers’ intention exhaust their remedies before disclosing and behaviour under the circumstances fell further)?89 under a criminal exemption for public interest (“ethical”) security research and vulnerability The public prosecutor’s letter states that it has disclosure.91 developed these three factors in accordance with jurisprudence, and in light of the rights Since 2013, relevant case law in the to freedom of expression for individuals Netherlands has demonstrated that the criteria and journalists provided by article 10 of the set out in the Dutch AG’s policy letter are also European Convention on Human Rights. The considered in court when an organization does letter states that a lack of a CVD policy is not have a CVD policy92 (as appeared to be not immediate reason to classify an ethical the case involving Trump’s Twitter account). hacker as a suspect. Instead, a prosecutor, The Dutch model has provided much needed ideally specialized in cybercrime, should be legal certainty for the stakeholders involved involved in a factual (not necessarily criminal) in vulnerability disclosure processes.93 The investigation as early as possible, in order to Dutch approach serves as one model for other determine whether coordinated vulnerability jurisdictions to follow when it comes to CVD disclosure has occurred or to proceed with a policies and guidelines. criminal investigation. The policy also describes the possibility of dismissing charges against an ethical hacker if CVD has occurred, even after commencement of a criminal investigation.

A noteworthy instance of the policy letter’s application involved the Twitter account for former president Donald Trump. In late 2020, Dutch security researcher Victor Gevers discovered that then-President Trump was

See Something, Say Something: Coordinating the Disclosure of Security Vulnerabilities in Canada 20 The United States: CISA, ºº What the discloser can expect in terms Regulation, and Minimized Legal of the communication and remediation Risk Centred on Authorization process; ºº The possibility for disclosure from The approach in the US requires federal anonymous sources, regardless of agencies to facilitate coordinated vulnerability citizenship; and disclosure and provides some minimization of ºº A prohibition against disclosing the legal risks posed to security researchers vulnerabilities to the Vulnerabilities who disclose in adherence to organization-run Equities Process (which is described in CVD procedures. greater detail below). • Agencies’ reporting requirements and As of March 1, 2021, all US federal agencies disclosure of CVD metrics to CISA; are required to have developed, published, and implemented vulnerability disclosure • The role of CISA in overseeing compliance policies, with exceptions for “national security with the Directive; and systems” and “certain systems operated by • An implementation guide (including a the Department of Defense or the Intelligence checklist, vulnerability disclosure program 94 Community.” These requirements are set out in template, FAQ and other information). the Binding Operational Directive 20-01 by the US Department of Homeland Security through Whereas the NCSC states that it can become the Cybersecurity and Infrastructure Security an intermediary when an organization fails to Agency (CISA). CISA was created in 2018 respond to vulnerability disclosure or does not and, in short, provides support, expertise, and respond appropriately, CISA may get involved resources to the federal government to defend in the disclosure process for various other 95 against cyberattacks. additional reasons. Federal agencies are required to immediately report to CISA when The Binding Operational Directive provides they receive newly discovered vulnerability detailed CVD requirements for federal information that involves commercial software agencies, specifying and providing: or services that “affect or are likely to affect other parties in government or industry.”96 • The need to develop and publish a They are also expected to report to CISA if the vulnerability disclosure policy that begins agency “believes CISA can assist with or should smaller in scope and eventually expands know about, particularly as it relates to outside over time, stipulating: organization,” as well as in “[a]ny other situation where it is deemed helpful or necessary to ºº What is in scope; involve CISA.”97 On top of being a last resort ºº How to submit vulnerability reports; for researchers who cannot reach a disclosure ºº The agency’s commitment not to contact or where there has been no response,98 recommend or pursue legal action it also appears that disclosures involving regarding good faith efforts to follow industrial control systems and medical devices the policy; are best disclosed to CISA.99

See Something, Say Something: Coordinating the Disclosure of Security Vulnerabilities in Canada 21 Other US federal agencies also have their and Technology (NIST) to publish guidelines own approaches to CVD that preceded the for vulnerability disclosure processes related to Binding Operational Directive. The Department government information systems, including IoT of Defense (DoD) has facilitated CVD since devices.107 The ICIA also requires the Director of 2016, enabling external security researchers to Management and Budget (in consultation with disclose vulnerabilities found in infrastructure the Secretary of Homeland Security) to develop owned, for example, by the Pentagon100 and the and oversee the implementation of coordinated Army.101 Background checks and citizenship disclosure policies for information systems verification were initially needed for the DoD’s as well as IoT devices. This Director is also invite-only, time-bound vulnerability disclosure required by the ICIA to disseminate information procedures involving remuneration.102 In about security vulnerabilities once they have May 2021, the DoD expanded the scope been resolved or remediated. of its CVD procedures from public-facing websites and applications to now include all In the wake of the SolarWinds, Microsoft “publicly-accessible networks, frequency- Exchange, and Colonial Pipeline incidents, based communication, Internet of Things, President Joe Biden issued an executive industrial control systems, and more.”103 The order in May 2021 aiming to improve the General Services Administration's Technology cybersecurity and protection for the federal Transformation Services (TTS) has also government’s networks.108 Among the many facilitated CVD involving its civilian systems solutions identified to improve the security of since 2016.104 the federal government’s software supply chain, the executive order seeks to establish baseline In terms of limitations on security research security standards for the development of activity, CISA’s vulnerability disclosure template software sold to the government, creating and the disclosure approaches of these other an “energy star” type of label to allow the federal bodies (DoD and TTS) all generally government and public to determine whether prohibit security testing methods such as denial the software was developed securely.109 It of service tests, physical testing, and social also requires standardization of the “federal engineering, among others. government’s playbook” for responding to security vulnerabilities and incidents involving a Without being exhaustive, there are numerous wide array of federal agencies.110 other pieces of legislation regarding CVD that have been enacted in the US. Since Though the impact of this executive order, December 2018, the SECURE Technology if any, is not yet clear, many of these policy Act has required the Secretary of Homeland changes have brought with them incremental Security to establish a vulnerability disclosure legal clarification as to how security research policy.105 The Hack Your State Department Act will be treated by the law — and in a way has also required the Department of State to that still explicitly presumes the centrality of establish a vulnerability disclosure process prohibitions against unauthorized computer since January 2019.106 As of December 2020, access and use. To provide context, it is widely the IoT Cybersecurity Improvement Act (ICIA) known to security researchers that the US has required the National Institute of Standards Computer Fraud and Abuse Act is a broadly

See Something, Say Something: Coordinating the Disclosure of Security Vulnerabilities in Canada 22 scoped federal law that has significantly (“bug bounty programs”) as circumstances expanded since 1984 to prohibit an expansive in which “individuals, organizations, and range of activity in respect of computers, companies are temporarily authorized to including their access and use.111 The US identify and report vulnerabilities of appropriate Digital Millennium Copyright Act (DMCA) also information systems” of the relevant federal prohibits the circumvention of technological department.116 CISA’s Binding Operational measures (e.g., encryption) that control access Directive seeks to commit federal agencies to to copyrighted works.112 “authorize good faith security research” while still requiring organizations to delineate what In 2017, the US Department of Justice stated constitutes authorized or unauthorized security that organizations that have implemented testing.117 CVD policies that “clearly describe authorized vulnerability disclosure and discovery conduct” These policy developments suggest that would substantially reduce “the likelihood that any legal protections in the US afforded to such described activities will result in a civil or security researchers in the context of CVD criminal violation of law under the Computer are still very much centred on the question Fraud and Abuse Act” (the CFAA).113 A Supreme of what constitutes authorized activity for the Court decision from June 2021 provides federal government. In some ways, this policy increased, yet limited, clarity regarding the approach stands in contrast to that of the legal treatment of computer security research Netherlands, which requires consideration of in the US context.114 And since at least 2018, specific factors that prioritize the circumstances it has been possible to engage in good faith and motivation surrounding security research security research involving the circumvention activity. The Dutch model, unlike the US of technological measures that control access approach, requires examination of whether to copyrighted works in certain circumstances, minimum actions were taken to demonstrate so long as the activity does not contravene the the existence of the vulnerability, as well as CFAA.115 exhaustion of disclosure remedies prior to the prosecution of vulnerability disclosure — However, whether computer access and/or not only in the context of CVD, but also in the use has been “authorized” still remains central context of security research more generally. to the US policy approach to security research and vulnerability disclosure. For example, the SECURE Technology Act and Hack Your State Department Act both define vulnerability disclosure procedures involving remuneration

See Something, Say Something: Coordinating the Disclosure of Security Vulnerabilities in Canada 23 CANADIAN CONTEXT: Vulnerability Disclosure for Federal Systems

04 Vulnerability Disclosure for Canadian Centre for Cyber Security facilitates Federal Systems the disclosure of “cyber incidents,” defined in such a way that does not readily include The Government of Canada has not yet vulnerabilities that have not yet been used for implemented a policy framework for facilitating exploitation. Once vulnerabilities are disclosed, coordinated vulnerability disclosure. There may an opaque and discretionary remediation also be legal risks for vulnerability discovery process is currently in use that provides and disclosure under criminal law, as well as inadequate transparency as to the fallout of copyright law in certain circumstances — in disclosure. many cases, without protection from legislation for whistleblowers. Legal Risks for Vulnerability Discovery and Disclosure The current approach may dissuade security There are numerous actions associated researchers from disclosing vulnerabilities with security research that may invoke the 118 found in the federal government’s systems. The application of federal laws. See, for example:

Security research Potential applicable law and provision Brief summary of provision activity

Unauthorized use of computer, computer Section 342.1 of the Criminal Code service, or computer password

Hacking (i.e., Section 380(1) of the Criminal Code Fraud unauthorized access), including unsolicited Mischief, or wilfully destroying or damaging security or penetration Section 430 of the Criminal Code property, including overloading computer testing systems, “causing chaos”119

Wilful interception of private Section 184 of the Criminal Code communications

Obtaining, storing or Unauthorized use of computer data, retrieving computer Section 342.1 of the Criminal Code requiring intent to commit mischief under s. data without 430 of the Criminal Code permission

Impersonation (a technique that is commonly referred to Section 402.2 of the Criminal Code Identity theft or identity fraud as “social engineering” in the computer security industry120)

Possession or use of hardware, software or Possessing, importing other tools used to commit hacking (section or using devices made Sections 342.2 of the Criminal Code 342.1 of the Criminal Code) or mischief for hacking (section 430 of the Criminal Code)

Circumvention of a “technological Circumventing security protection measure” for any technology, measures, including Section 41.1(1) of the Copyright Act device or component that controls access decryption to a copyrighted work or sound recording

See Something, Say Something: Coordinating the Disclosure of Security Vulnerabilities in Canada 25 When it comes to copyright law, good faith Protection Act only applies to public servants security researchers may benefit from the who are employed in the federal public exemptions that exist regarding the prohibition sector.124 Similarly, Canada’s federal private on circumventing security measures that sector data protection law prohibits any kind of control access to copyrighted works. Security reprisal against an employee or independent research may be exempted from such a contractor who discloses, in good faith and on prohibition when it is done under certain the basis of reasonable belief, a violation of circumstances, such as for the purposes of that law.125 encryption research,121 or for “assessing the vulnerability of the computer, system or network While a detailed analysis of whistleblower or correcting any security flaws.”122 protection law is out of scope for this report, such existing laws in Canada generally only On the other hand, a security researcher protect security researchers if: wishing to receive whistleblower protection in the disclosure process may not necessarily 1. The person is an employee or contractor of be protected by existing laws. Work by Florian the organization; Martin-Bariteau and Véronique Newman has 2. They disclose an issue that would violate a uncovered that there are over 40 pieces of law; and legislation across Canada that ostensibly protect whistleblowers from reprisals, albeit 3. The disclosure is made to a higher-level generally in the employment context.123 For officer or a specific governmental agency.126 example, the federal Public Servants Disclosure

See Something, Say Something: Coordinating the Disclosure of Security Vulnerabilities in Canada 26 Applying this to security vulnerabilities, constraints prevent the use of regular internal disclosure may easily be made to a higher- mechanisms. For example, someone who is level officer or specific governmental agency, eligible to receive whistleblower protection dependent on the availability of instructions would potentially be able to publicly disclose to do so, as well as contact information for information demonstrating that an exploitation these entities. However, many external security involving critical infrastructure (such as an oil researchers are likely to operate outside pipeline) could occur. However, the discloser of an organization, and would often not be would need to consider whether the benefits of considered employees or contractors. The disclosing such information would outweigh its disclosure of a security vulnerability may also harms. In terms of legal protection, situations not necessarily involve the violation of a law, that meet these circumstances are likely to be since such information generally involves the extremely rare. disclosure of conditions in which exploitation could occur. Additionally, the exploitation of a In sum, this brief legal overview provides one security flaw would presumably often involve indication that there currently exists no policy the violation of a law, but this is not necessarily framework in Canada enabling good faith the case in all circumstances. security research, including in the context of vulnerability discovery and disclosure. As such, In rare cases, a person protected under the laws in Canada that currently apply to whistleblower protection law (such as an computer security research activity could serve employee or contractor) may disclose to the as one reason to discourage and dissuade general public vulnerability information that security researchers from discovering and involves an immediate risk to public health, disclosing vulnerabilities found, for example, in safety, or the environment.127 Such disclosure the federal government’s computer systems. is generally only protected when time

See Something, Say Something: Coordinating the Disclosure of Security Vulnerabilities in Canada 27 The Government of Canada’s Defining the term in this way assumes that it Approach to Coordinated is clear what constitutes an “unauthorized” Vulnerability Disclosure attempt to access a computer system — despite the fact that, as described previously, We uncovered little evidence of a a good faith security researcher may engage straightforward or transparent disclosure and in activity that unwittingly meets this definition remediation path for someone who discovers of unauthorized computer access or use, security vulnerabilities in the Government of potentially attracting liability and possibly Canada’s digital systems. For instance, there is severe punishment pursuant to various laws, only ad hoc use of a coordinated vulnerability due to lack of a policy framework on this topic disclosure policy for COVID Alert, Canada’s in Canada. COVID-19 exposure notification app.128 The CCCS also tells those who visit its website: Our findings suggest that the Canadian “If you believe a cyber incident is an imminent Centre for Cyber Security (CCCS) is the only threat to life or of a criminal nature, please federal agency that readily addresses the contact your local law enforcement agency 134 disclosure of security-related information. The (911) or the RCMP.” The text on the CCCS CCCS currently acts as Canada’s computer website may be imbued with the assumption security incident response team and was that “cyber incidents” could easily constitute established within the Communications criminal activity. However, the existence of Security Establishment (CSE) in October a security vulnerability does not necessarily 2018.129 The CCCS aims to provide a “single, equate to unauthorized attempts to modify, unified team of government cyber security destroy, or render unavailable computer technical experts that will be the definitive networks or systems. Instead, the discovery of source of unique technical advice, guidance, a vulnerability is the discovery of a condition services, messaging, and support on cyber which may give rise to such activity. security operational matters for government, critical infrastructure owners and operations, The CCCS therefore does not readily the private sector, and the Canadian public.”130 facilitate the disclosure of system or code vulnerabilities; in fact, on its face, it primarily Disclosure of a vulnerability may generally facilitates the disclosure of wrongdoing or trigger the application of Canada’s Cyber potential wrongdoing. This stands in contrast Security Event Management Plan (CSEMP), to the Netherlands and the US, both of which which has provided a detailed system since explicitly seek to work with good faith security 2018 for responding to and reporting on what researchers in order to discover and repair it calls “cyber security events”,131 including the vulnerabilities. It also specifically stands in issuance of advisories.132 However, the CCCS contrast to the Dutch model, which has carved facilitates the disclosure of “cyber incidents,” out a legal exemption from criminal liability which it defines as “[a]ny unauthorized attempt, for acts of vulnerability disclosure that are whether successful or not, to gain access to, determined to occur in the public interest. modify, destroy, delete, or render unavailable By comparison, the cumulative effect of the any computer network or system resource.”133 CCCS’s terminology may dissuade a person

See Something, Say Something: Coordinating the Disclosure of Security Vulnerabilities in Canada 28 from disclosing a security vulnerability found behalf of an IT security practitioner, a critical in the federal government’s systems, for fear of infrastructure organization, and a government having engaged in wrongdoing and potentially department or agency.137 The CCCS’s page criminal activity. now provides dedicated contact information for information disclosure in the cybersecurity On May 12, 2021, the CCCS updated its “cyber context and, interestingly, allows people who incidents” webpage in a largely cosmetic fill out its form to check off “Vulnerability fashion by providing a “cyber incident” report identified”, which they define as “when form. The previous page was largely descriptive trusted parties identify flaws that could be in nature, describing the relationship between exploited by attackers, which have not yet cyber incidents and cybercrime, spam, been leveraged” (see Figure 2). Nonetheless, phishing, scams, fraud, and child exploitation.135 nothing else uncovered in our examination of It enabled people to report “an urgent cyber the form rectifies any of the longer-standing incident” to the CCCS, directing them to a issues described earlier pertaining to under- generic, catch-all contact page.136 As of May 12, inclusiveness when it comes to use of the term 2021, the “Report a cyber incident” webpage “cyber incident” leading up to that point in the provides discrete reporting mechanisms on reporting process.

Figure 2: The CCCS's Report a cyber incident form as of June 2021

See Something, Say Something: Coordinating the Disclosure of Security Vulnerabilities in Canada 29 A Closer Look: Coordinated Vulnerability Disclosure and the Department of National Defence

The networks of Canada’s Department of National Defence/Canadian Armed Forces (DND/CAF) are defended by an internal defence team that works in partnership with the CSE, the Department of Public Safety, Shared Services Canada (SSC), and the CCCS. The mandate of this collaboration is to develop policy for active cyber operations, to “establish and seek to preserve our freedom to maneuver within cyberspace and provide the Government of Canada with flexible cyber response options.”138 The development of these response solutions to evolving threats are conducted by the Cyber Security Engineering Program, with integrated IT solutions to joint operations provided by the Command, Control, Communications, Computer and Intelligence, Surveillance, and Reconnaissance program.139

Shared Services Canada provides and consolidates information technology services across federal government departments. The cyber and IT security mandate of the SSC involves the implementation of “firewall, anti-virus, and anti-malware, secure remote access, and vulnerability management to [GC] systems and services.”140 DND/CAF released a report in January 2021, warning that the Canadian Armed Forces’ operations and security were at risk, with several concerns raised by defence and military officials relating to major delays, legacy technology, procurement challenges, and significant costs spent by DND/CAF on IT services and support annually.141 In April 2021, SSC signed a multi-year agreement with BlackBerry to use its BlackBerry Spark and BlackBerry SecuSUITE cybersecurity products.142

Challenges for implementing a framework for CVD in Canada were raised in a 2019 Standing Committee on Public Safety and National Security meeting143 — in particular, the need for security researchers to have a legitimate process to disclose vulnerabilities with proper legal authorities and security checks. Speaking as an individual, Steve Waterhouse, former Information Systems Security Officer for the Department of National Defence, pointed out that “the contracts that Public Services and Procurement Canada enter into have to be properly done. They have to contain a section on security. A security check has to be done. If an individual, or group of individuals, works on the government’s information systems, they have to have received the appropriate legal authorization to be able to do the work.”144 As outlined below, clarity is important in the framing of such CVD eligibility requirements, as well as expectations around acceptable activity in the disclosure process.

See Something, Say Something: Coordinating the Disclosure of Security Vulnerabilities in Canada 30 Discretionary and Potentially As mentioned, the Cyber Security Event Opaque Treatment of Management Plan appears to provide a fairly Vulnerabilities Once robust system for the federal government’s Disclosed response to “cyber security events”, which also includes the disclosure of vulnerabilities. Perhaps one of the most troubling aspects While a detailed analysis of this framework — from the little that is publicly known — is out of scope for this report, the CSEMP regarding the Government of Canada’s explicitly accounts for the fact that the vulnerability handling procedures concerns Canadian government may receive “threat the withholding of vulnerability information for and intelligence,” as well as “incident” reports, offensive and defensive purposes that may from “external sources” during the detection achieve certain military and/or intelligence and assessment phase when it comes to 145 goals. As it stands, the Communications Canada’s awareness of security events. The Security Establishment has the discretion to CCCS, among many of the solutions identified withhold vulnerability information it receives in the course of a “cyber security event”, from not only the public, but also potentially can coordinate messaging to “implicated from other federal agencies and departments. stakeholders as required throughout the cyber security event management process” (see Figure 3), such as through the dissemination, for example, of advisories and alerts.

Figure 3: The CSEMP Cyber Security Event Management Process

See Something, Say Something: Coordinating the Disclosure of Security Vulnerabilities in Canada 31 For example, it seems plausible that the the NSA instead decided to develop code CCCS’s alert first issued in March 2021 to exploit it for more than five years.152 Then, regarding the prominent security exploits starting in 2016, the anonymous Shadow associated with unpatched Microsoft Exchange Brokers group released an enormous trove servers146 was disseminated pursuant to the of information about the NSA’s intelligence CSEMP. We applaud the CCCS’s decision to gathering capabilities — including exploits and quickly release information on these known previously unknown vulnerabilities found in vulnerabilities and exploits, the publication of software and security products used for critical which generally serves the CSEMP’s aim to infrastructure and systems around the world.153 adequately manage “cyber security events,” In April 2017, one of the NSA exploits released such as vulnerability disclosure, in order to by the Shadow Brokers, dubbed EternalBlue, protect federal computer systems and the involved the same vulnerability that the NSA people they serve in Canada. had been exploiting for years.154 The attackers behind the famed WannaCry ransomware in On the other hand, the CSE also has in fact relied on the EternalBlue exploit, ultimately place a vulnerability “equities management” resulting in over 200,000 infected computers framework.147 This opaque term and procedure involving hospitals and banks, and an initially emerged in 2008 in the US context estimated $4 billion in losses worldwide.155 This under President Bush, and was later developed story reflects just the tip of the iceberg when during the Obama administration.148 In it comes to the impact of vulnerabilities that layperson’s terms, “equities management” are withheld by nation states — and that can refers to the process by which a government potentially be exploited by others.156 decides whether to disclose software vulnerabilities in order to mitigate the risks While the US VEP is far from being perfect,157 they pose or to “withhold [such] information the Cybersecurity and Infrastructure Security … for purposes including law enforcement, Agency has nonetheless stated numerous intelligence gathering, and ‘offensive’ times that vulnerability reports collected under exploitation.”149 The US Vulnerabilities Equities its own CVD policy, as well as CVD policies Process (VEP) charter was fully released in for federal agencies, must be remediated November 2017; the UK released details of its and shall not be subject to consideration own equities process in 2018;150 and Canada and adjudication in the VEP158 (pursuant to released details for its equities management section 5.4 of the US VEP charter).159 Across the process in March 2019.151 ocean, the UK Equities Process acknowledges, albeit less categorically, that vulnerabilities Government handling of security vulnerabilities that “have already been subjected to similar has significant and potentially far-reaching considerations by a partner” and shared with consequences. For example, consider the US the National Cyber Security Centre (a branch of National Security Agency’s (NSA) decision the GCHQ) may not be subject to the Equities not to disclose a vulnerability in the Windows Process.160 The UK Equities Process therefore operating system and the aftermath that provides no definition of “partner,” and the term ensued.Rather than inform Microsoft of the “may” renders this general rule discretionary. existence of this vulnerability for risk mitigation,

See Something, Say Something: Coordinating the Disclosure of Security Vulnerabilities in Canada 32 In the Canadian context, many publicly It remains unclear whether vulnerabilities that available details of the Equities Management are disclosed to the CCCS could be assessed Framework (EMF) are lacking.161 We do know and withheld under Canada’s EMF, which is that the CSE has a vulnerability disclosure currently marked by opacity. This lack of clarity, assessment process involving experts from and the potential for the significant confusion the CCCS for deciding whether to withhold it engenders from the perspective of the or disclose vulnerability information based general public and security researchers, further on a certain set of factors.162 The EMF is also confirms that a policy framework is lacking guided by the principle that vulnerabilities “that when it comes to the handling of vulnerability are public knowledge will not be subject to disclosure for federal government systems in an equity assessment under this Framework.” Canada. On its face, this principle could imply that vulnerabilities become “public knowledge” when they are disclosed to affected organizations and governments — and are therefore, in theory, not subject to assessment under the EMF.

Yet, the use of the term “public knowledge” without further clarification could exclude vulnerabilities that are disclosed to government, the details of which are not disclosed to the public as a whole. Further, the EMF states that "[v]ulnerabilities discovered by CSE through operational research, or otherwise obtained, will be subject to the process outlined in this Framework.”163 This statement does not rule out the possibility that vulnerabilities disclosed to the CCCS will be handled under the CSE’s framework, meaning that vulnerability information already known by non-government individuals could be withheld by the CSE and exploited by malicious actors if this critical information ended up in the wrong hands.

See Something, Say Something: Coordinating the Disclosure of Security Vulnerabilities in Canada 33 POLICY SOLUTIONS Steps to Better Ensure Secure Systems in Canada

05 Steps to Better Ensure the term as referring to the ability to defend Secure Systems in Canada one’s actions due to an honest but mistaken belief that justifies the action in question.165 Canada Needs a Policy Enacting an amendment to the Criminal Code Framework for Security Research could provide useful legislative clarification and Good Faith Vulnerability up front as to when security research activity Disclosure falls outside the scope of activity captured by section 342.1, rather than relying on the courts Canada needs a policy framework that to fill these gaps when it comes to good faith provides increased legal clarity for security security research. research and vulnerability disclosure that occur in good faith. As described previously, certain Second, the Department of Justice could aspects of Canada’s criminal law may have a alternatively issue a Directive of the Attorney chilling effect on good faith computer security General pursuant to the Director of Public vulnerability discovery and disclosure. Prosecutions Act that directs the Director of Public Prosecutions to prosecute computer Without being exhaustive, there are at least security research activity in light of certain two possible ways forward in terms of a policy considerations and only under certain circumstances. Such an initiative would not framework. First, the federal government could clarify the criteria that need to be met in order be unprecedented in Canada. For example, for a good faith security researcher to test, since December 2018, federal prosecutors investigate and attempt to correct security and those acting on their behalf must now vulnerabilities found within computer systems in follow the Directive on Prosecutions involving a way that does not give rise to criminal liability, Non-Disclosure of HIV Status, which stipulates particularly under section 342.1 of the Criminal when prosecution must not occur and should Code. Section 342.1 of the Code makes it a generally not occur, as well as what factors punishable offence to engage in unauthorized must be considered when prosecuting cases use of a computer (described in greater detail of non-disclosure of HIV status, given that such in the provision of the Code itself) when done decisions must be determined on the basis of 166 so fraudulently and “without colour of right,” recent medical science on HIV transmission. which are both elements of the offence set out In a similar vein, a Directive of the Attorney in section 342.1. General could be released in Canada that adopts aspects of the Dutch public However, there is a growing body of legal prosecutor’s policy letter, requiring federal decisions at the trial and appellate level, prosecutors to consider the following when demonstrating that courts have spent prosecuting computer security research activity considerable time deciding the thresholds involving vulnerability disclosure: required to meet the standards, particularly • Motives: Was the action taken in the context for these two terms.164 The notion of “colour of a substantial social interest? of right” is particularly significant in the • Proportionality: Was the act proportionate context of coordinated vulnerability disclosure (did the person not go beyond what was because some courts have come to interpret necessary) to achieve the goal?

See Something, Say Something: Coordinating the Disclosure of Security Vulnerabilities in Canada 35 • The principle of subsidiarity: Was disclosure stand to benefit when they work with security made to the appropriate entity (did they researchers to identify and remediate existing exhaust their remedies before disclosing vulnerabilities, while making sure to alert those further)?167 who might be affected.170 Those who find flaws in the government’s systems and critical The Directive in Canada could also encourage infrastructure should therefore be provided organizations that implement CVD procedures with a well-thought-out pathway for disclosing to clearly state that disclosing in adherence vulnerabilities to the owners or managers of with that policy’s requirements would fall under those systems and/or the federal government. authorized activity (which could otherwise be prohibited by various laws including criminal As discussed earlier, Canadian policymakers provisions). This legal clarification is provided in can particularly learn from two jurisdictions the Dutch context as described previously, and leading the way when it comes to the in a clarifying document published in 2017 by decision to require or encourage the use of the Department of Justice.168 The vulnerability CVD procedures. Canada has the option of disclosure policy template issued by CISA also implementing regulation as the US has done, requires federal agencies to consider good issuing binding requirements that each federal faith vulnerability disclosure that occurs in line agency deploys its own CVD policy. However, with the applicable CVD policy as constituting there are risks associated with this approach: authorized activity.169 While such a Directive in the scope of what can be tested ought to be the Canadian federal context would apply to initially limited, and there must be adequate Canada’s territories, it would be important for internal expertise to handle such disclosures. provincial attorneys general to also adopt the Canada may prefer to draw on the Dutch Directive in their own provinces. model for CVD, where organizations (such as software vendors or certain government We encourage the Government of Canada, bodies) that manage or own computer and particularly the Department of Justice, to systems are encouraged (but not required) to examine these solutions as two possible ways facilitate coordinated vulnerability disclosure. forward, given the need for a policy framework In either case, a specific government for good faith computer security vulnerability cybersecurity agency in Canada could act discovery and disclosure in Canada. as an intermediary on an as-needed basis. Clarification would also be useful as to Canada’s Federal Agencies when a security researcher should disclose Need Vulnerability Disclosure vulnerability information to a software vendor Procedures in Line with Best and/or the affected federal agency. Practices As mentioned, CVD procedures for the On a more pragmatic level, the Government Government of Canada’s systems would of Canada should consider strengthening its ideally be implemented only when internal and external disclosure procedures organizations and/or agencies have the ability for vulnerabilities involving federal computer to adequately respond to external vulnerability systems. Governments and organizations reports, as well as patch and remediate

See Something, Say Something: Coordinating the Disclosure of Security Vulnerabilities in Canada 36 those vulnerabilities. For example, the US cybersecurity best practices175 including NIST,176 Department of Defense vulnerability disclosure ISO standards,177 and work by Woszczynski et program slowly broadened the scope of what al.,178 we have identified that there are generally could be tested over the course of several at least five aspects that are foundational for years.171 The UK has been working with effective CVD processes: vulnerability disclosure experts, such as Katie Moussouris of Luta Security, to carefully role 1. Define eligibility. Who is able to submit out a multi-year pilot vulnerability disclosure vulnerability reports, and in what manner, program, improving its system slowly over should be clearly delineated. There 172 time. Implementing a pilot CVD program should generally not be limitations on is necessary for avoiding initial overload, who can submit and whether people providing an opportunity for the government to can submit anonymously. It is also not collect data, to inform more mature handling a common practice to limit who can of vulnerability disclosures. During the pilot, a disclose vulnerabilities based on security security maturity assessment process should clearances, country of origin, or residence be developed and implemented to assess, except in rare cases such as time-limited, prioritize, and add resources necessary for invite-only new vulnerability disclosure vulnerability management. It is also vital that procedures involving, for example, military any government entity wishing to facilitate systems.179 CVD procedures for the first time avoid doing so primarily for the purposes of hype, 2. Provide submission and verification marketing, or to mitigate the risk of unwanted procedural information. The vulnerability attention associated with fully or partially reporting and triage processes should be public disclosure of vulnerabilities found in its clear. Encrypted communication should be systems.173 an encouraged option to better secure the information passed on. The organization It is equally important that CVD procedures handling the vulnerability disclosure involving Canada’s federal government process should be transparent about how systems contain certain standard elements and it responds to submissions and in what are written in a clear, accessible fashion. The time frame. It is similarly important that the benefits of clearly written procedures are two- organization clearly state its commitment fold. First, they allow organizations to glean the to take the steps needed to mitigate the insight and expertise of highly motivated good risk and resolve the vulnerability once it faith security researchers. Second, they enable is deemed valid. The process should also these researchers to disclose vulnerabilities provide details as to how the organization and strengthen the security of systems with verifies vulnerability information and clarification around what constitutes legal assesses the level of criticality. activity.174

There are standard elements that CVD 3. Set out restrictions and expectations. It is procedures should contain, including those important to set out mutual expectations run by governments. Drawing on established for both security researchers and those

See Something, Say Something: Coordinating the Disclosure of Security Vulnerabilities in Canada 37 to whom vulnerabilities are disclosed, in be a way to acknowledge the labour and order to build goodwill and increase trust efforts of security researchers. However, among all parties involved. Expectations when it comes to paying disclosers, of security researchers should be set out, governments may face administrative including what activity is prohibited (such hurdles involving procurement procedures as the use of social engineering or denial and requirements. Other remuneration of service testing). Similarly, organizations considerations also include the long-term should set out the timeline that disclosers impacts of the government’s potential can expect in terms of communication reliance on an external, distributed and remediation of the flaw.180 Drawing workforce for vulnerability discovery and on the policy framework that we hope is disclosure, particularly with respect to provided by the Government of Canada, the labour rights implications for security CVD policies should also clarify and limit researchers.182 the scope of legal liability for people who disclose vulnerabilities in good faith and in 5. Advise the public of the vulnerability and adherence with the procedures set out. its remediation. It is important to provide the public with information about the 4. Provide credit and recognition. Disclosers vulnerability once remediation has occurred should receive public credit for their or is made available, as part of efforts to submission once the vulnerability has been make vulnerability reports public in order repaired, so long as they consent. Canada to strengthen the security of government could run a page similar to that provided by systems and critical infrastructure. In the Germany’s armed forces, which provides US context, CISA alerts organizations to details on all disclosed vulnerabilities security threats to critical infrastructure (e.g., disclosure date, URL involved, type of networks and provides the public with vulnerability) and public recognition of the information about exploits, security issues, discloser (using their name or alias).181 It and vulnerabilities for which a patch has is also possible to provide disclosers with become available.183 Canada should build recognition for their contributions in the on its already existent alert and advisory form of awards, gift vouchers, and possibly system184 by publishing advisory information monetary remuneration or honoraria. about vulnerabilities discovered through Various considerations accompany CVD procedures enabled by the federal the decision of whether to remunerate government. for voluntary external disclosures. Remunerating disclosers for vulnerability These emerging, standard elements of CVD are information can encourage them to share by no means exhaustive, and we encourage this information with software and hardware the Government of Canada to work with vendors, as well as the Government of technical and policy experts in its determination Canada, rather than to others in ways of whether and how to implement CVD that could be used for offensive purposes procedures for its systems. against the Canadian government’s systems. Remunerating disclosers can also

See Something, Say Something: Coordinating the Disclosure of Security Vulnerabilities in Canada 38 Disclosed Vulnerabilities Must Be remediate flaws that have effectively become Kept Separate from the Equities public knowledge can put the government’s Management Framework systems and critical infrastructure at risk due to the potential that the external actor and others It is vital that Canada shift away from an who learn about these vulnerabilities could approach that attempts to achieve the security exploit them. One need only look to the story of of its systems through reliance on obscurity WannaCry, described earlier, to understand the and secrecy. Instead, it should move toward grave harm that can arise when governments an approach that facilitates transparent and fail to disclose vulnerabilities to vendors for risk accountable procedures when it handles mitigation and remediation, enabling attackers disclosed vulnerabilities. As described to exploit such vulnerabilities known to the previously, it is currently not clear how government. Canadian government bodies, including the Canadian Centre for Cyber Security, handle the For these reasons, Canada should both state vulnerability reports they receive. in its Equities Management Framework, and in any vulnerability disclosure procedures It is important that the Government of Canada involving government systems, that ensures that appropriate steps are taken to vulnerabilities disclosed through CVD must be mitigate the risks associated with externally resolved and kept separate from the equities reported vulnerabilities, including ensuring management and assessment process. their remediation. When vulnerabilities disclosed through a CVD procedure end up being assessed in an equities management framework, this is an indication that the equities management process has failed. Failing to

See Something, Say Something: Coordinating the Disclosure of Security Vulnerabilities in Canada 39 About the Authors

Yuan Stevens is the Policy Lead at the Cybersecure Policy Exchange and the Ryerson Leadership Lab. Yuan is an action-oriented researcher working at the intersections of law, policy and computer security. Her work equips society with the ability to understand and patch up harmful vulnerabilities in sociotechnical and legal systems. Passionate about building community, she is also a research affiliate at the Data & Society Research Institute and a research fellow at the Centre for Media, Technology & Democracy at McGill’s School of Public Policy. She received her B.C.L./J.D. from McGill University in 2017, working as a research assistant for hacker expert Gabriella Coleman. She serves on the board of directors for Open Privacy Research Institute and previously worked at the Berkman Klein Center for Internet & Society at Harvard University.

Stephanie Tran is an experienced researcher with over five years of experience analyzing public policy and human rights issues related to digital technologies, with past experience working for the Citizen Lab, Amnesty International Canada, the United Nations Office for the Coordination of Humanitarian Affairs (UN OCHA) and more. She is a trained computer programmer, having earned a Diploma in Computer Programming from Seneca College. She also holds a dual degree Master of Public Policy (Digital, New Technology and Public Affairs Policy stream) from Sciences Po in Paris, and a Master of Global Affairs from the University of Toronto. She earned her BA degree from the University of Toronto specializing in Peace, Conflict and Justice.

Ryan Atkinson is an experienced researcher on cybersecurity challenges and solutions, pursuing his PhD in Political Science at the University of Western Ontario, where he is examining the cyber defence policy of NATO, Canada and other member states. He has led the Cybersecurity and Information Warfare Program at the NATO Association of Canada as Research Analyst and Project Manager, publishing numerous analytic articles and in-depth interviews on subjects of cybersecurity, hybrid warfare, and disinformation. He also guided organizational attainment of cyber industry resilience from information security infrastructure frameworks within various industries including telecommunications, healthcare, finance, technology and government as a cybersecurity consultant at KPMG Canada.

Sam Andrey is the Director of Policy & Research at the Ryerson Leadership Lab. Sam has led applied research and public policy development for the past decade, including the design, execution and knowledge mobilization of surveys, focus groups, interviews, randomized controlled trials and cross-sectional observational studies. He also teaches about public leadership and advocacy at Ryerson University and George Brown College. He previously served as Chief of Staff and Director of Policy to Ontario’s Minister of Education, in the Ontario Public Service and in not-for-profit organizations advancing equity in education and student financial assistance reform. Sam has an Executive Certificate in Public Leadership from Harvard’s John F. Kennedy School of Government and a BSc from the University of Waterloo.

See Something, Say Something: Coordinating the Disclosure of Security Vulnerabilities in Canada 40 Appendix A: Global State of Play for Coordinated Vulnerability Disclosure

Has distinct Provides Publicly and clear Disclosure Describes terms and Remuneration disseminates Disclosers disclosure process the rules for (e.g. monetary) information If applicable, specific can Organization process for open submission disclosers can be about Country Membership federal government publicly name vulnerabilities to the and (e.g., provided for vulnerabilities organization receive involving general verification limiting those who disclosed credit government public process what is in submit through CVD systems scope) process Dirección Argentina G20 Member Nacional de Innovación Pública Unknown Ciberseguridad Australian Cyber Security Centre, based Australia G20 Member CERT Australia Unknown in Australian Signals Directorate Department of Information and Brazil G20 Member CTIR Gov Unknown Communications Security Canadian Centre Communications Canada G20 Member Unknown for Cyber Security Security Establishment

China G20 Member CNCERT/CC n/a

EU G20 Member EU-CERT n/a

National Agency for the France G20 Member CERT-FR Security of Information Unknown Systems (ANSSI) Federal Office for Germany G20 Member CERT-Bund Information Security Unknown (BSI) Ministry of Electronics India G20 Member CERT-In and Information Technology

Indonesia G20 Member ID-CERT n/a Unknown

Security Intelligence Italy G20 Member CSIRT Italy Unknown Department (DIS) Independent, but working alongside Japan G20 Member JPCERT/CC Information-technology Promotion Agency (IPA)

See Something, Say Something: Coordinating the Disclosure of Security Vulnerabilities in Canada 41 Non-G20 Ministry of Defense of Latvia CERT.LV Member the Republic of Latvia

Mexico G20 Member CERT-MX Guardia Nacional Unknown

National Cyber Non-G20 Ministry of Justice and Netherlands Security Centre Unknown Member Security (NCSC) Ministry of Business, New Non-G20 CERT NZ Innovation and Unknown Zealand Member Employment Federal Service for Data Security Technical and Export Russia G20 Member Threats Databank Control, based in the * Ministry of Defence Saudi National Cybersecurity G20 Member CERT-SA Unknown Arabia Authority Cyber Security Agency of Ministry of Non-G20 Singapore and Communications and Singapore Member Government Information; Prime Technology Minister’s Office Agency South African Dept. of Computer South Africa G20 Member Telecommunications Unknown Security Incident and Postal Services Response Team National Cyber Security Center (NCSC), based South Korea G20 Member KN-CERT Unknown in National Intelligence Service Non-G20 Spanish National Spain CCN-CERT Member Intelligence Centre Information Technologies and Turkey G20 Member TR-CERT Unknown Communication Authority Government United National Cyber G20 Member Communications Kingdom Security Centre Headquarters (GCHQ) CISA Binding Cybersecurity & Operational USA G20 Member Infrastructure Security Directive for Agency federal agencies

Legend: * = Recognition given through points

See Something, Say Something: Coordinating the Disclosure of Security Vulnerabilities in Canada 42 Appendix B: List of Participants

It is important to note that the varied perspectives of our workshop participants greatly informed this report; however, the statements and recommendations are solely those of the authors.

A list of workshop participants (who consented to having their names made publicly available) is as follows:

1. Amit Elazari, Director, Global Cybersecurity Policy, Intel Corporation 2. Baiba Kaškina, CERT.LV 3. Brenda McPhail, Director, Privacy, Technology & Surveillance Project, Canadian Civil Liberties Association 4. Christopher Parsons, Senior Research Associate at Citizen Lab, Munk School of Global Affairs & Public Policy, University of Toronto 5. Florian Martin-Bariteau, Associate Professor of Law, University Research Chair in Technology and Society, and Director, Centre for Law, Technology and Society, University of Ottawa 6. Gianluca Varisco, CEPS Research Affiliate 7. Jeroen van der Ham, National Cyber Security Centre (Netherlands); Associate Professor of Incident Response, University of Twente 8. Josh Kenway, Cybersecurity & Technology Policy Analyst, PayPal 9. Katherine Rusk, Lawyer, Osler, Hoskin & Harcourt LLP 10. Katie Moussouris, CEO, Luta Security 11. Lisa Wiswell Coe, Independent (Former architect of the Hack the Pentagon CVD program and DoD VDP) 12. Melanie Rieback, CEO and Co-founder of Radically Open Security 13. Milos Stojadinovic, Senior Director, Adversary Emulation (Red Team), Royal Bank of Canada 14. Rafal Rohozinski, CEO, SecDev / ZeroPoint 15. Sumit Bhatia, Director, Innovation and Policy at Rogers Cybersecure Catalyst; Canada’s National Cybersecurity Centre 16. Tara Swaminatha, Principal, ZeroDay Law 17. Tarah Wheeler, Cyber Project Fellow, Belfer Center for Science and International Affairs & International Security Fellow, New America

See Something, Say Something: Coordinating the Disclosure of Security Vulnerabilities in Canada 43 Appendix C: Definitions

Bug bounty program: Programs that provide financial Vulnerability disclosure: Providing information on a rewards for individuals who disclose security vulnerability to a party that is likely unaware of it.193 vulnerabilities to the relevant organization. Bug bounty Different options for disclosure may include: programs can be one mechanism as part of a larger coordinated vulnerability disclosure program. They can be No disclosure: Everything known about the time-bound or ongoing, as well as invite-only or open to vulnerability is kept private. Vendors may prefer this the public. method in order to prevent implicating their public image, or to protect trade secrets.194 This may also Community Emergency Response Team (CERT): A occur due to researchers feeling discouraged from malleable term that often takes the form of a security disclosing out of fear of retribution, or as a result operations centre, incident response team, group of of governments wanting to take advantage of the forensic investigators or engineering teams that respond vulnerability for national security or intelligence to security incidents.185 However, Carnegie Mellon purposes.195 University owns the trademark for “CERT” and must approve any uses of the term.186 Coordinated vulnerability disclosure (CVD): An approach, framework or process where disclosers The first CERT was created by DARPA (Defense Advanced and organizations work in cooperation to examine Research Projects Agency) after the 1988 Morris worm, and resolve discovered vulnerabilities. It typically where grad student Robert Morris spread a non- involves “reporting, coordinating, and publishing destructive worm across Cornell university computers information about a vulnerability and its resolution,” that caused many computers to crash.187 This incident aiming to ensure that vulnerabilities are resolved and led to the creation of the first computer security incident that risk is limited.196 Some principles that underly response team (CSIRT) in November 1988, the CERT CVD are to reduce harm, presume benevolence of Coordination Center.188 Over time, the CERT model has individuals who report vulnerabilities, and incentivize adapted and evolved to other jurisdictions.189 cooperative behaviour.197

Computer security incident response team (CSIRT): A Full disclosure: All information about the vulnerability term that has essentially the same meaning as CERT, is released to the public. This usually includes a but is not trademarked and can therefore by used by published report on the vulnerability, as well as proof any organization without permission from the Software of concept code.198 Engineering Institute at Carnegie Mellon University.190 Limited (partial) disclosure: Some, but not all, of Communications Security Establishment: Canada’s the information known about the vulnerability is intelligence agency responsible for monitoring foreign disclosed publicly. In these cases, some information intelligence activity, maintaining the security and on the vulnerability is provided, while technical assurance of information in Canada, and conducting details and proof of concept code may be defensive and offensive foreign cyber operations.191 withheld.199

Discloser: An individual who discloses a vulnerability Vulnerabilities equities process (VEP): A term used by found in an information system. some government agencies to determine the processes to follow when deciding whether to disclose vulnerabilities Vulnerability: A weakness that can be exploited by an or to retain knowledge of the vulnerability in order attacker, allowing them to perform unauthorized and/ to exploit it for law enforcement, national security, or or undesirable actions. The weakness can be found intelligence purposes. They are the “internal policymaking in hardware or software, “in an information system, structures” that help governments decide how to handle system security procedures, internal controls, or vulnerabilities.200 implementation.”192 Examples include the US’ Vulnerabilities Equities Process,201 the UK’s Equities Process,202 and Canada’s Equities Management Framework.203

See Something, Say Something: Coordinating the Disclosure of Security Vulnerabilities in Canada 44 References 1 Digital Security Group. (2008, March 7). Security Flaw in Mifare 18 Samos, C. (2021, April 29). Ransomware demands estimated Classic. Nijmegen Institute for Computer Science and Information to have cost hundreds of millions of dollars in Canada in 2020: Science. https://www.sos.cs.ru.nl/applications/rfid/main.html; report. CTV News. https://www.ctvnews.ca/sci-tech/ransomware- Digital Security Group Radboud University Nijmegen. (2008, demands-estimated-to-have-cost-hundreds-of-millions-of- March 12). Security Flaw in MIFARE Classic [Press release]. dollars-in-canada-in-2020-report-1.5407727. https://www.cs.ru.nl/~flaviog/publications/Security_Flaw_in_ MIFARE_Classic.pdf. 19 Statistics Canada. (2020, October 20). About one-fifth of Canadian businesses were impacted by cyber security incidents 2 Kirk, J. (2008, June 20). Dutch Launch Open-source Smart Card in 2019. Government of Canada. https://www150.statcan.gc.ca/ Software Project. ABC News. n1/daily-quotidien/201020/dq201020a-eng.htm. https://abcnews.go.com/Technology/PCWorld/story?id=5210881. 20 Wheeler, T. (2018, September 12). In Cyberwar, There Are No 3 EDRi. (2008, July 16). Dutch University sued to stop publishing Rules. Foreign Policy (Fall 2018). research on chip technology. EDRi. https://foreignpolicy.com/2018/09/12/in-cyberwar-there-are-no- https://edri.org/our-work/edrigramnumber6-14dutch-university- rules-cybersecurity-war-defense/. chip. 21 Yes We Hack. (n.d.). Coordinated Vulnerability Disclosure: 4 NXP BV v. Radboud University, 18 July 2008, Court of Joining Forces to Reduce Risk [White paper]. Yes We Hack. Justice Arnhem, https://f.hubspotusercontent00.net/hubfs/7520354/livre-blanc- https://uitspraken.rechtspraak.nl/ yes-we-hack-CVD-EN.pdf. inziendocument?id=ECLI:NL:RBARN:2008:BD7578. 22 Tech Checkup: Dealing with Technology Change in Pandemic 5 EDRi (2008, July 16). Recovery. (2020, October 15). The Conference Board of Canada. https://www.conferenceboard.ca/focus-areas/innovation- 6 NXP BV v. Radboud University (2008). technology/tech-checkup.

7 van t’Hof, C. (2016). Helpful Hackers: How the Dutch do 23 Shekar, S. (2020, August 5). Cost of Data Breaches in Canada Responsible Disclosure. Vior Webmedia. 52. up 6.7% in 2020. Yahoo Finance. https://ca.finance.yahoo.com/news/cost-of-data-breaches-in- 8 Hof, Helpful Hackers, 51-52. canada-up-67-in-2020-191002562.html.

9 NXP BV v. Radboud University (2008). 24 National Cyber Threat Assessment. (2020, November 16). Canadian Centre for Cyber Security. Communications Security 10 Ibid Establishment. https://cyber.gc.ca/sites/default/files/publications/ 11 Ibid, para. 3.3, translation by report authors. ncta-2020-e-web.pdf

25 12 Radboud University Nijmegen. (n.d.). Roel Verdult. Institute Henriquez, M. (2020, December 9). IoT Cybersecurity for Computing and Information Sciences. http://www.cs.ru. Improvement Act signed into law. Security Magazine.; Information nl/~rverdult/. Technology Laboratory: Computer Security Resource Center. (2021, February 4). Vulnerability Disclosure Guidance. National 13 Pupillo, L., Ferreira, A., & Varisco, G. (2018). Software Institute of Standards and Technology. https://csrc.nist.gov/ Vulnerability Disclosure in Europe: Technology, Policies and Legal Projects/vdg. Challenges (Report of a CEPS Task Force). Centre for European 26 Policy Studies (CEPS) Brussels. https://www.ceps.eu/wp-content/ Canadian Centre for Cyber Security. (2020). National uploads/2018/06/CEPS%20TFRonSVD%20with%20cover_0. Cyber Threat Assessment 2020. Communications Security pdf; Health Canada. (2019, December 10). Scientific Advisory Establishment. https://cyber.gc.ca/sites/default/files/publications/ Committee Digital Health Technologies (SAC-DHT) November ncta-2020-e-web.pdf 23, 2018 Record of Proceedings [Decisions]. Government of 27 Canada. https://www.canada.ca/en/health-canada/services/ Householder, A. D., Wassermann, G., Manion, A., & King, C. drugs-health-products/medical-devices/activities/scientific- (2017). The CERT Guide to Coordinated Vulnerability Disclosure. expert-advisory-committees/digital-health-technologies/record- Software Engineering Institute. https://resources.sei.cmu.edu/ proceedings-2018-11-23.html. asset_files/SpecialReport/2017_003_001_503340.pdf.

28 14 OECD. (2021). Encouraging vulnerability treatment: Overview Public Prosecution Service. (2020, December 14). OM Policy for policy makers. OECD Digital Economy Papers, 307, 1-45. Letter Coordinated Vulnerability Disclosure. https://www.om.nl/ https://www.oecd-ilibrary.org/docserver/0e2615ba-en.pdf. documenten/richtlijnen/2020/december/14/om-beleidsbrief- ethisch-hacken. 15 Brady, R. M., Anderson, R. J., & Ball, R. C. (1999). Murphy’s 29 law, the fitness of evolving species, and the limits of software Elazari, A. “The Law and Economics of Bug Bounties” (2018), reliability. University of Cambridge Computer Laboratory, 471, USENIX 27th Security Symposium, https://www.usenix.org/ 1-14. https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-471.pdf. conference/usenixsecurity18/presentation/elazari-bar; OECD, Encouraging vulnerability treatment. 16 Farwell, J. P., & Rohozinski, R. (2011). Stuxnet and the Future of 30 Cyber War. Survival, 53(1), 23–40. https://doi.org/10.1080/0039 Secretary of the Air Force Public Affairs. (2018, November 6338.2011.555586; Perlroth, N. (2021). This Is How They Tell Me 5). USAF announces Hack the Air Force 3.0. U.S. Air Force. the World Ends: The Cyberweapons Arms Race. Bloomsbury https://www.af.mil/News/Article-Display/Article/1682502/usaf- Publishing. https://thisishowtheytellmetheworldends.com/. announces-hack-the-air-force-30/

31 17 Public Safety Canada. (2019). National Cyber Security Action Vulnerability Reporting. (2018, November 15). National Plan (2019-2024): Budget 2018 Investments. Government of Cyber Security Centre. https://www.ncsc.gov.uk/information/ Canada. https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/ntnl- vulnerability-reporting cbr-scrt-strtg-2019/index-en.aspx.

See Something, Say Something: Coordinating the Disclosure of Security Vulnerabilities in Canada 45 32 EU-FOSSA 2—Free and Open Source Software Auditing. (n.d.). 49 Ibid. European Commission. Retrieved February 24, 2021, from https:// ec.europa.eu/info/departments/informatics/eu-fossa-2_en 50 Neutze, J. (2017), Coordinated Vulnerability Disclosure (CVD), https://www.ceps.eu/wp-content/uploads/2017/05/Jan%20 33 Braga, M. (2016, November 28). The Canadian government Neutze%20Microfsoft%20-%20CVD.pdf; Kranenbarg, M., Holt, doesn’t want hackers’ help. CBC. https://www.cbc.ca/news/ T. J., & van der Ham, J. (2018). Don’t shoot the messenger! A technology/canadian-government-hackers-1.3866336; The criminological and computer science perspective on coordinated Canadian Press. (2015, July 28). Hackers target Canadian vulnerability disclosure. Crime Science, 7(1), 16. https://doi. government websites. The Globe and Mail. https://www. org/10.1186/s40163-018-0090-8. theglobeandmail.com/news/national/hackers-target-canadian- government-website/article25729750/; Jones, R. P. (2020, 51 Wheeler, T. (2021, May 3) “Cybersecurity Ignorance Is August 17). Cyberattacks that targeted Government of Canada Dangerous”, Foreign Policy. https://foreignpolicy.com/2021/05/03/ online services brought under control, officials say. CBC. https:// cybersecurity-ignorance-is-dangerous/. www.cbc.ca/news/politics/cra-gckey-cyberattack-1.5689106. 52 Neutze, J. (2017), Coordinated Vulnerability Disclosure (CVD); 34 Carin, B. (2017, June 20). G20 safeguards vulnerabilities Kranenbarg, Holt, & van der Ham, Don’t shoot the messenger! of digital economy, with financial sector focus. G20 Insights. https://www.g20-insights.org/policy_briefs/g20-safeguards- 53 Householder, Wassermann, Manion, & King, The CERT Guide to vulnerabilities-digital-economy-financial-sector-focus/. Coordinated Vulnerability Disclosure.

35 Khan, M. K., Goldberg, S., Grainger, P., & Sethi, B. (2020, 54 OECD, Encouraging vulnerability treatment. November 26). Heightening cybersecurity to promise safety 55 and fairness for citizens in the Post-Covid-19 Digital World. G20 See, for example, work by E. Gabriella Coleman and Alex Insights. https://www.g20-insights.org/policy_briefs/heightening- Golub, which identifies that security researchers and hackers cybersecurity-to-promise-safety-and-fairness-for-citizens-in-the- are not homogenous in their intention and motivation and that post-covid-19-digital-world/. there exists a wide array of ethical viewpoints held by hackers animating the work they do. Coleman, E. G., & Golub, A. (2008). 36 Woszczynski, A., Green, A., Dodson, K., & Easton, P. (2020). Hacker practice: Moral genres and the cultural articulation of Zombies, Sirens, and Lady Gaga – Oh My! Developing a liberalism. Anthropological Theory, 8(3), 255–277. https://doi. Framework for Coordinated Vulnerability Disclosure for U.S. org/10.1177/1463499608093814. Emergency Alert Systems. Government Information Quarterly, 37(1), 101418. https://doi.org/10.1016/j.giq.2019.101418. 56 Householder, Wassermann, Manion, & King, The CERT Guide to Coordinated Vulnerability Disclosure. 37 International Organization for Standardization. (2020). Information technology — Security techniques — Vulnerability 57 Erik Silfversten, William Phillips, Giacomo Persi Paoli, & Cosmin handling processes (CSA ISO-IEC 30111-20). https://www.scc.ca/ Ciobanu. (2018). Economics of Vulnerability Disclosure. European en/standardsdb/standards/30641. Union Agency For Network and Information Security. https:// www.enisa.europa.eu/publications/economics-of-vulnerability- 38 H. Cavusoglu, H. Cavusoglu and S. Raghunathan, “Efficiency of disclosure/at_download/fullReport. See also Neutze, J., Vulnerability Disclosure Mechanisms to Disseminate Vulnerability Coordinated Vulnerability Disclosure (CVD). Knowledge,” in IEEE Transactions on Software Engineering, vol. 33, no. 3, pp. 171-185, March 2007, doi: 10.1109/TSE.2007.26. 58 Householder, Wassermann, Manion, & King, The CERT Guide to Coordinated Vulnerability Disclosure. 39 Householder, Wassermann, Manion, & King, The CERT Guide to Coordinated Vulnerability Disclosure. 59 Ibid.

40 Hathaway, M. (2019). Patching Our Digital Future Is 60 Ibid. Unsustainable and Dangerous. Centre for International Governance Innovation. https://www.cigionline.org/articles/ 61 Ibid. patching-our-digital-future-unsustainable-and-dangerous/. 62 Ibid. 41Householder, Wassermann, Manion, & King, The CERT Guide to 63 Coordinated Vulnerability Disclosure. Swaminatha, T. (n.d.). Bug Bounty and Vulnerability Disclosure Programs. ZeroDay Law LLC. Retrieved March 8, 2021, from http:// 42 Joint Task Force Transformation Initiative. (2013). Security uk.practicallaw.thomsonreuters.com/w-014-4541. and Privacy Controls for Federal Information Systems and 64 Organizations (NIST SP 800-53r4; p. NIST SP 800-53r4). National Ruohonen, J., Hyrynsalmi, S., & Leppänen, V. (2020). A Institute of Standards and Technology. https://doi.org/10.6028/ mixed methods probe into the direct disclosure of software NIST.SP.800-53r4 vulnerabilities. Computers in Human Behavior, 103, 161–173. https://doi.org/10.1016/j.chb.2019.09.028. 43 OECD, Encouraging vulnerability treatment. 65Brady, R. M., Anderson, R. J., & Ball, R. C., Murphy’s law, the 44 Ibid fitness of evolving species, and the limits of software reliability.

45 Ibid. 66 Kranenbarg, Holt & van der Ham, Don’t shoot the messenger!

46 CBC News. (2019, July 22). Equifax to pay up to $700M in U.S. 67 Ozment, A. (2005). The Likelihood of Vulnerability Rediscovery to settle data breach, but Canada is not included. CBC News. and the Social Utility of Vulnerability Hunting. Fourth Workshop on https://www.cbc.ca/news/business/equifax-fine-1.5219957. the Economics of Information Security (June 2–3 2005). https:// citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.61.154. 47 Whittaker, Z. (2018, December 10). Equifax breach was ‘entirely preventable’ had it used basic security measures, says House 68 Finifter, M., Akhawe, D., & Wagner, D. (2013). An Empirical report. TechCrunch. https://techcrunch.com/2018/12/10/equifax- Study of Vulnerability Rewards Programs. 22nd USENIX Security breach-preventable-house-oversight-report/. Symposium. https://www.usenix.org/system/files/conference/ usenixsecurity13/sec13-paper_finifter.pdf. 48 OECD, Encouraging vulnerability treatment.

See Something, Say Something: Coordinating the Disclosure of Security Vulnerabilities in Canada 46 69 Votipka, D., Stevens, R., Redmiles, E., Hu, J., & Mazurek, M. (2018). 93 Pupillo, Ferreira & Varisco, Software Vulnerability Disclosure in Hackers vs. Testers: A Comparison of Software Vulnerability Europe, 46. Discovery Processes. 2018 IEEE Symposium on Security and Privacy (SP), 374–391. https://doi.org/10.1109/SP.2018.00003. 94 Cybersecurity and Infrastructure Security Agency. (2020, September 2). Binding Operational Directive 20-01. Department 70 Swaminatha, Bug Bounty and Vulnerability Disclosure of Homeland Security. https://cyber.dhs.gov/bod/20-01/. Programs. 95 Cybersecurity and Infrastructure Security Agency. (2018, 71 Kranenbarg, Holt & van der Ham, Don’t shoot the messenger! November 19). Cybersecurity and Infrastructure Security Agency Act of 2018. Department of Homeland Security. 72 Rhysider, J. (2018, November 1). EP 25: Alberto (No. 25). https:// https://us-cert.cisa.gov/ncas/current-activity/2018/11/19/NCCIC- darknetdiaries.com/episode/25/ Now-Part-Cybersecurity-and-Infrastructure-Security-Agency.

73 National Cyber Security Centre. (2018). Coordinated 96 Cybersecurity and Infrastructure Security Agency, Binding Vulnerability Disclosure: The Guideline. National Cyber Security Operational Directive 20-01, 8(a). Centre. https://english.ncsc.nl/publications/publications/2019/ juni/01/coordinated-vulnerability-disclosure-the-guideline. 97 Ibid, 8(b) & 8(c).

74 National Cyber Security Centre, Coordinated Vulnerability 98 Cybersecurity and Infrastructure Security Agency, Binding Disclosure. Operational Directive 20-01

75 FIRST Improving Security Together. (n.d.). National Cyber 99 Cybersecurity and Infrastructure Security Agency. (n.d.). CISA Security Centre of The Netherlands Team Information. FIRST Coordinated Vulnerability Disclosure (CVD) Process. Department Improving Security Together. https://www.first.org/members/ of Homeland Security.https://www.cisa.gov/coordinated- teams/ncsc-nl. vulnerability-disclosure-process.

76 National Cyber Security Centre. (n.d.). About the NCSC. Ministry 100 Hack The Pentagon. (n.d.). HackerOne. Retrieved March 8, of Justice and Security. https://english.ncsc.nl/about-the-ncsc. 2021, from https://www.hackerone.com/hack-the-pentagon.

77 Government of the Netherlands. (n.d.). Ministry of Justice 101 Army Cyber Command. (2020, November 9). Hack The Army and Security. Government of the Netherlands. https://www. 3.0 furthers innovative bug bounty program to defend networks, government.nl/ministries/ministry-of-justice-and-security. data. United States Army. https://www.army.mil/article/240719/ hack_the_army_3_0_furthers_innovative_bug_bounty_program_ 78 National Cyber Security Centre, Coordinated Vulnerability to_defend_networks_data. Disclosure. 102 Athy, D. (2016, March). Department of Defense Announces 79 National Cyber Security Centre. (n.d.). Reporting a Vulnerability Initiative for Vetted Hackers to Hack the Pentagon. Synack. (CVD). Ministry of Justice and Security. https://english.ncsc.nl/ https://www.synack.com/blog/hack-the-pentagon/; Kushto, G. contact/reporting-a-vulnerability-cvd (2016, September 22). Bug bounties: How federal agencies can 80 National Cyber Security Centre, Coordinated Vulnerability learn from Apple. GCN. https://gcn.com/Articles/2016/09/22/Bug- Disclosure. bounty-program.aspx?m=1.

81 National Cyber Security Centre, Reporting a Vulnerability (CVD). 103 DOD News. (2021, May 4). DOD Expands Hacker Program to All Publicly Accessible Defense Information Systems. U.S. 82 Ibid Department of Defense. https://www.defense.gov/Explore/News/ Article/Article/2595294/dod-expands-hacker-program-to-all- 83Ibid publicly-accessible-defense-information-syste/.

84Ibid 104 Feldman, A., & Feola, A. (2020, December 14). TTS Bug Bounty Program: 3 Year Review. Digital.Gov. https://digital. 85 National Cyber Security Centre, Coordinated Vulnerability gov/2020/12/14/tts-bug-bounty-program-3-year-review/. Disclosure. 105 H.R.7327—Strengthening and Enhancing Cyber-capabilities 86 Public Prosecution Service. (2020). OM-beleidsbrief by Utilizing Risk Exposure Technology Act, Congress, 115th Coordinated Vulnerability Disclosure. Public Prosecution Service. Congress (2017-2018) (2018) (testimony of Will Hurd). https://www. https://www.om.nl/documenten/richtlijnen/2020/december/14/ congress.gov/bill/115th-congress/house-bill/7327/text om-beleidsbrief-ethisch-hacken 106 H.R.5433—Hack Your State Department Act, Congress, 115th 87 Public Prosecution Service, OM-beleidsbrief Coordinated Vulnerability Disclosure. Congress (2017-2018). https://www.congress.gov/bill/115th-congress/ house-bill/5433 88 National Cyber Security Centre, Coordinated Vulnerability 107 Disclosure, 9. H.R.1668—IoT Cybersecurity Improvement Act of 2020, Congress, 116th Congress (2019-2020) (2020). https://www. 89 Public Prosecution Service, OM-beleidsbrief Coordinated congress.gov/bill/116th-congress/house-bill/1668/text. Vulnerability Disclosure. 108 The White House. (2021, May 12). FACT SHEET: President Signs 90 Tidy, J. (2020, November 20). Trump Twitter ‘hack’: Dutch police Executive Order Charting New Course to Improve the Nation’s question researcher. BBC News. https://www.bbc.com/news/ Cybersecurity and Protect Federal Government Networks. technology-55019858. The White House. https://www.whitehouse.gov/briefing-room/ statements-releases/2021/05/12/fact-sheet-president-signs- 91 Public Prosecution Service. (2020, December 16). Trump Twitter executive-order-charting-new-course-to-improve-the-nations- account login not punishable. Public Prosecution Service. https:// cybersecurity-and-protect-federal-government-networks/. www.om.nl/actueel/nieuws/2020/12/16/inlog-twitter-account- trump-niet-strafbaar 109 Ibid.

92 National Cyber Security Centre, Coordinated Vulnerability 110 Ibid. Disclosure, 10.

See Something, Say Something: Coordinating the Disclosure of Security Vulnerabilities in Canada 47 111 Marshall Jarrett, Michael W Bailie, Ed Hagen, & Scott 130 Public Safety Canada. (2019). National Cyber Security Action Eltringham. (2010). Prosecuting Computer Crimes. Office of Plan, 2019-2024. 17. https://www.publicsafety.gc.ca/cnt/rsrcs/ Legal Education Executive Office for United States Attorneys. pblctns/ntnl-cbr-scrt-strtg-2019/index-en.aspx; Public Safety https://www.justice.gov/sites/default/files/criminal-ccips/ Canada. (28 May 2019). National Cyber Security Strategy. https:// legacy/2015/01/14/ccmanual.pdf. www.publicsafety.gc.ca/cnt/rsrcs/pblctns/ntnl-cbr-scrt-strtg/ index-en.aspx. 112 Library of Congress. (1998). The Digital Millennium Copyright Act of 1998: U.S. Copyright Office summary. Washington, D.C.: 131 Treasury Board of Canada Secretariat. (2018). Government of Copyright Office, Library of Congress.https://www.copyright.gov/ Canada Cyber Security Event Management Plan (GC CSEMP) legislation/dmca.pdf. 2019. Government of Canada. https://www.canada.ca/en/ government/system/digital-government/online-security-privacy/ 113 Cybersecurity Unit. (2017). A Framework for a Vulnerability security-identity-management/government-canada-cyber- Disclosure Program for Online Systems. U.S. Department of security-event-management-plan.html. Justice. https://www.justice.gov/criminal-ccips/page/file/983996/ download. 132 Canadian Centre for Cyber Security. (n.d.). Alerts & Advisories. Communications Security Establishment. https://cyber.gc.ca/en/ 114 Van Buren v. USA. US Supreme Court. (2021) https://www. alerts-advisories. supremecourt.gov/opinions/20pdf/19-783_k53l.pdf. 133 Canadian Centre for Cyber Security. (n.d.). Glossary. 115 Exemption to Prohibition on Circumvention of Copyright Communications Security Establishment. https://cyber.gc.ca/en/ Protection Systems for Access Control Technologies 2018, 83 FR glossary. 54010 (October 28, 2018) (to be codified at 37 CFR 201).https:// www.federalregister.gov/documents/2018/10/26/2018-23241/ 134 Canadian Centre for Cyber Security. (n.d.). Report a Cyber exemption-to-prohibition-on-circumvention-of-copyright- Incident. Communications Security Establishment. https://cyber. protection-systems-for-access-control. gc.ca/en/incident-management.

116 H.R.7327 - 115th Congress (2017-2018): Strengthening 135 Canadian Centre for Cyber Security. (2018, August 15). and Enhancing Cyber-capabilities by Utilizing Risk Exposure Canadian Centre for Cyber Security. Canadian Centre for Cyber Technology Act. (2018, December 21). https://www.congress.gov/ Security. https://web.archive.org/web/20210427205257/https:// bill/115th-congress/house-bill/7327/text. cyber.gc.ca/en/

117 Cybersecurity and Infrastructure Security Agency, Binding 136 Canadian Centre for Cyber Security. (2021, February 16). Operational Directive 20-01. Canadian Centre for Cyber Security. Canadian Centre for Cyber Security. https://cyber.gc.ca/en/ 118 Wasser, L. A., & Pennington, K. (2021). Cybersecurity 2021: Canada. In International Comparative Legal Guide: Cybersecurity 137 Canadian Centre for Cyber Security. (2021, May 12). Canadian 2021 (4th ed.). Global Legal Group. http://mcmillan.ca/wp- Centre for Cyber Security. Canadian Centre for Cyber Security. content/uploads/2020/07/Lyndsay_Wasser-Kristen_Pennington_ https://cyber.gc.ca/en/. CYB21_Chapter-9_Canada.pdf. 138 Government of Canada. (10 March 2020). Department of 119 R. v. Geller, 2003 CanLII 31190 (ON SC), https://canlii.ca/ National Defence and the Canadian Armed Forces 2020-21 t/1bx92 Departmental Plan. 8-9. https://www.canada.ca/en/department- national-defence/corporate/reports-publications/departmental- 120 Hadnagy, C. (2010). Social Engineering: The Art of Human plans/departmental-plan-2020-21-index.html. Hacking. Wiley 139 Government of Canada, Department of National Defence and 121 Copyright Act, RSC 1985, c C-42, section 41.13. the Canadian Armed Forces 2020-21 Departmental Plan, 57.

122 Copyright Act, RSC 1985, c C-42, section 41.15. 140 Government of Canada. (2015). “Cyber and Information Technology Security.” Shared Services Canada. https://www. 123 Martin-Bariteau, F. and Newman, V., Whistleblowing in Canada. canada.ca/en/shared-services/corporate/cyber-information- A Knowledge Synthesis Report (February 15, 2018). Ottawa technology-security.html. Faculty of Law Working Paper No. 2018-07. 141 Berthiaume, L. (2021, January 5). “Poor IT Support Hurts 124 Public Servants Disclosure Protection Act, SC 2005, c 46, Canadian Military Operations, Internal Review Finds.” National https://canlii.ca/t/54317 at paras 20(4) and 19. Observer. https://www.nationalobserver.com/2021/01/05/news/ technology-support-canadian-military-operations-internal- 125 Martin-Bariteau, F. and Newman, V. (2018); Personal review-Canadian-armed-forces-defence-canada-computers. Information Protection and Electronic Documents Act, SC 2000, c 5, para. 27.1 142 Bharti, B. (12 April 2021). “Federal Government Signs Deal with BlackBerry to Use Its Cybersecurity Tools.” Financial Post. https:// 126 Martin-Bariteau, F., Stevens, Y., & Tran, S. (2021, May). financialpost.com/news/federal-government-signs-deal-with- See Something, Say Something? The State of Coordinated blackberry-to-use-its-cybersecurity-tools. Vulnerability Disclosure in Canada’s Federal Government. NorthSec. 143 Parliament of Canada. (4 February 2019). “Standing Committee on Public Safety and National Security.” Number 147, 1st Session, 127 Martin-Bariteau, F. and Newman, V., Personal Information 42nd Parliament. https://www.ourcommons.ca/DocumentViewer/ Protection and Electronic Documents Act, 4. en/42-1/SECU/meeting-147/evidence.

128 Canadian Digital Service & Office of the Chief Information 144 Ibid. Officer. (2020, July 31).Vulnerability Disclosure Process for the COVID Alert service. GitHub. https://github.com/cds-snc/covid- 145 Treasury Board of Canada Secretariat. (n.d.). Government of alert-documentation. Canada Cyber Security Event Management Plan (GC CSEMP) 2019. Government of Canada. https://www.canada.ca/en/ 129 Government of Canada. (2021). Canadian Centre for Cyber government/system/digital-government/online-security-privacy/ Security. https://cyber.gc.ca/en/. security-identity-management/government-canada-cybersecurity-event-management-plan.html.

See Something, Say Something: Coordinating the Disclosure of Security Vulnerabilities in Canada 48 146 Canadian Centre for Cyber Security. (2021, March 2). Active 162 Communications Security Establishment, CSE’s Equities Exploitation of Microsoft Exchange Vulnerabilities - Update 4. Management Framework. Communications Security Establishment. https://cyber.gc.ca/en/ alerts/active-exploitation-microsoft-exchange-vulnerabilities. 163 Ibid.

147 Communications Security Establishment. (n.d.). CSE’s Equities 164 For cases where the court attempted to interpret both of these Management Framework. Government of Canada. https:// terms, see for example: R v McNish, 2020 ABCA 24, archive.is/jDKbU. R v Horse, 2019 SKCA 56, R. c. Parent, 2012 QCCA 1653, R v Braile, 2018 ABQB 361, R. v. Senior, 2021 ONSC 272. 148 Electronic Privacy Information Center. (n.d.). Vulnerabilities For cases where the court attempted to interpret the term Equities Process. Electronic Privacy Information Center. https:// “fraudulently,” see, for example: U.S.A. v. Su Bin, 2015 BCSC 1586, epic.org/privacy/cybersecurity/vep/ R. v. Alexander, 2006 CanLII 26480, R. v. R.J.S., 2010 NSSC 253. For cases where the court attempted to interpret the term “colour 149 Electronic Privacy Information Center, Vulnerabilities Equities of right,” see, for example: O’Brien I.M.G. (Master Corporal), Process. R. v., 2015 CM 1013, R. v. Livingston, 2018 ONCJ 25, R. c. St- Martin, 2012 QCCQ 575, R. c. Lauzon, 2013 QCCQ 5060. 150 Kenway, J., Sugihara, M., Zilberfarb, A., & Tortolero, P. (2021). More Sunlight, Fewer Shadows: Guidelines For Establishing & 165 R v McNish, 2020 ABCA 249 (CanLII) at para 63; Thibodeau c. Strengthening Government Vulnerability Disclosure Policies. R., 2018 QCCA 1476 (CanLII) at paras 12-13. Center for Cybersecurity Policy and Law, 1-20. https://www. cyberthreatalliance.org/wp-content/uploads/2021/02/More_ 166 Public Prosecution Service of Canada. (2018, December 8). Sunlight_Fewer_Shadows.pdf 5.12 Prosecutions involving Non-Disclosure of HIV Status. Public Prosecution Service of Canada. https://www.ppsc-sppc.gc.ca/ 151 CSE [@cse_cst]. (2019, March 8) Today, CSE has published our eng/pub/fpsd-sfpg/fps-sfp/tpd/p5/ch12.html Equities Management Framework for the first time [Tweet]. Twitter. https://twitter.com/cse_cst/status/1104088450935021570. 167 Public Prosecution Service, OM-beleidsbrief Coordinated Vulnerability Disclosure. 152 Timberg, C., & Nakashima, E. (2017, May 16). NSA officials worried about the day its potent hacking tool would get loose. 168 Cybersecurity Unit Computer Crime & Intellectual Property Then it did. The Washington Post. https://www.washingtonpost. Section. (2017, July). A Framework for a Vulnerability Disclosure com/business/technology/nsa-officials-worried-about- Program for Online Systems. U.S. Department of Justice. https:// the-day-its-potent-hacking-tool-would-get-loose-then-it- www.justice.gov/criminal-ccips/page/file/983996/download. did/2017/05/16/50670b16-3978-11e7-a058-ddbb23c75d82_ story.html. 169 Cybersecurity and Infrastructure Security Agency. (n.d.). Vulnerability Disclosure Policy Template. Department of 153 Healey, J. (2016). The U.S. Government and Zero-Day Homeland Security. https://cyber.dhs.gov/bod/20-01/vdp- Vulnerabilities: From Pre-Heartbleed to Shadow Brokers. template/. Columbia Journal of International Affairs, 1-20. https://jia.sipa. columbia.edu/online-articles/healey_vulnerability_equities_ 170 Woszczynski, A., Green, A., Dodson, K., & Easton, P. (2020). process. Zombies, Sirens, and Lady Gaga – Oh My!

154 Fruhlinger, J. (2018, August 30). What is WannaCry 171 Bannister, A. (2021, May 5). US Department of Defense ransomware, how does it infect, and who was responsible? CSO. expands vulnerability disclosure program. The Daily Swig. https:// https://www.csoonline.com/article/3227906/what-is-wannacry- portswigger.net/daily-swig/us-department-of-defense-expands- ransomware-how-does-it-infect-and-who-was-responsible.html. vulnerability-disclosure-program

155 Kaspersky. (n.d.). What is WannaCry ransomware? 172 Vulnerability Co-ordination Pilot. (2017, March 13). The National Kaspersky. https://www.kaspersky.com/resource-center/threats/ Cyber Security Centre. https://www.ncsc.gov.uk/blog-post/ ransomware-wannacry. vulnerability-co-ordination-pilot; NCSC Vulnerability Disclosure Co-ordination. (2018, October 19). The National Cyber Security 156 Perlroth, This Is How They Tell Me the World Ends. Centre. https://www.ncsc.gov.uk/blog-post/ncsc-vulnerability-

157 disclosure-co-ordination; Hack the Gov’t and Tell the NCSC? Kenway, J., & Garcia, M. (2021, June 1). To Patch or Not to You’ll Now Get a Pat on the Back. Tech Monitor. (2018, December Patch: Improving the US Vulnerabilities Equities Process. Third 21). https://techmonitor.ai/techonology/cybersecurity/ncsc- Way. https://www.thirdway.org/memo/to-patch-or-not-to-patch- vulnerability-reporting. improving-the-us-vulnerabilities-equities-process 173 158 Householder, Wassermann, Manion, & King, The CERT Guide Cybersecurity and Infrastructure Security Agency, Binding to Coordinated Vulnerability Disclosure. Operational Directive 20-01; Cybersecurity and Infrastructure Security Agency, CISA Coordinated Vulnerability Disclosure (CVD). 174 Woszczynski, Green, Dodson & Easton, Zombies, Sirens, and Lady Gaga – Oh My! 159 The White House. (2017, November 15). Unclassified Vulnerabilities Equities Policy and Process for the United 175 Zhao, M., Laszka, A., & Grossklags, J. (2017). Devising Effective States Government. Trump White House Archives. https:// Policies for Bug-Bounty Platforms and Security Vulnerability trumpwhitehouse.archives.gov/sites/whitehouse.gov/files/ Discovery. Journal of Information Policy, 7. https://doi. images/External%20-%20Unclassified%20VEP%20Charter%20 org/10.5325/JINFOPOLI.7.2017.0372. FINAL.PDF. 176 National Institute of Standards and Technology. (2018). 160 Government Communications Headquarters. (2018, November Framework for Improving Critical Infrastructure Cybersecurity, 29). The Equities Process. GCHQ. https://www.gchq.gov.uk/ Version 1.1 (NIST CSWP 04162018; p. NIST CSWP 04162018). information/equities-process. National Institute of Standards and Technology. https://doi. org/10.6028/NIST.CSWP.04162018 161 Parsons, C. (2021, March 29). Christopher Parsons Delivers Testimony to Special Committee on Canada-China Relations. 177 International Organization for Standardization. (2018, The Citizen Lab. https://citizenlab.ca/2021/03/christopher- October 23). Information technology — Security techniques parsons-delivers-testimony-to-special-committee-on-canada- — Vulnerability disclosure (ISO/IEC 29147:2018). https://www. china-relations/. iso.org/standard/72311.html; International Organization for

See Something, Say Something: Coordinating the Disclosure of Security Vulnerabilities in Canada 49 Standardization (2013). Information technology — Security in Computer Security Incident Response [White paper]. New techniques — Vulnerability handling processes International America. https://www.newamerica.org/cybersecurity-initiative/ Standard (ISO/IEC 30111). https://www.iso.org/standard/69725. policy-papers/national-csirts-and-their-role-in-computer- html security-incident-response/.

178 Woszczynski, Green, Dodson & Easton, Zombies, Sirens, and 192 Joint Task Force Transformation Initiative. (2013). Security Lady Gaga – Oh My! and Privacy Controls for Federal Information Systems and Organizations (NIST SP 800-53r4; p. NIST SP 800-53r4). National 179 Athy, Department of Defense Announces Initiative for Vetted Institute of Standards and Technology. https://doi.org/10.6028/ Hackers to Hack the Pentagon; Kushto, Bug bounties: How NIST.SP.800-53r4 federal agencies can learn from Apple. 193 Joint Technical Committee ISO/IECJTC1. (2018). ISO/IEC 180 Ellis, R., Moussouris, K., & Stevens, Y. (2020, January 29147:2018 Information technology—Security techniques— 10). Emailed comments from Ryan Ellis, Katie Moussouris, Yuan Vulnerability disclosure. ISO/IEC. https://www.iso.org/obp/ui/ Stevens · Issue #133 · cisagov/cyber.dhs.gov. https://github.com/ es/#iso:std:iso-iec:29147:ed-2:v1:en cisagov/cyber.dhs.gov/issues/133 194 Ibid. 181 IT-Sicherheitsforschende (Finder). (n.d.). Bundeswehr. https:// www.bundeswehr.de/de/security-policy/danksagung. 195 Pupillo, Ferreira & Varisco, Software Vulnerability Disclosure in Europe, 5. 182 Ellis, R., Huang, K., Siegel, M., Moussouris, K., & Houghton, J. (2018). CHAPTER 4 Fixing a Hole: The Labor Market for Bugs. 196 Ibid. In H. Shrobe, D. L. Shrier, & A. Pentland (Eds.), New Solutions for 197 Cybersecurity (pp. 129–159). MIT Press. http://ieeexplore.ieee.org/ Householder, Wassermann, Manion, & King, The CERT Guide document/8333100. to Coordinated Vulnerability Disclosure.

198 183 Industrial Control Systems. (n.d.). Cybersecurity & Infrastructure Ibid, 43. Security Agency. Retrieved June 14, 2021, from 199 Ibid. https://us-cert.cisa.gov/ics.

200 184 Canadian Centre for Cyber Security, Alerts & Advisories. Kenway, Sugihara, Zilberfarb & Tortolero, More Sunlight, Fewer Shadows. 185 Horne, B. (2014). On Computer Security Incident Response 201 Teams. IEEE Security Privacy, 12(5), 13–15. https://doi. The White House, Unclassified Vulnerabilities Equities Policy org/10.1109/MSP.2014.96. and Process for the United States Government.

202 186 Authorization to Use the CERT Mark. (n.d.). Software The Equities Process. (2018, November 29). GCHQ. https:// Engineering Institute. Retrieved March 9, 2021, from https:// www.gchq.gov.uk/information/equities-process. www.sei.cmu.edu/education-outreach/license-sei-materials/ 203 authorization-to-use-cert-mark/index.cfm Communications Security Establishment. (n.d.). CSE’s Equities Management Framework 187 Kelty, C. (2011). The Morris Worm. Limn, 1(1). https:// escholarship.org/uc/item/8t12q5bj.

188 Horne, On Computer Security Incident Response Teams.

189 Carpenter, J. J. (2008). CERT Overview. https://www.sis.pitt.edu/ jjoshi/courses/IS2150/Fall08/CertOverview.pdf.

190 Ruefle, R. (2007).Defining Computer Security Incident Response Teams. Software Engineering Institute, Carnegie Mellon University. https://resources.sei.cmu.edu/asset_files/ WhitePaper/2007_019_001_294579.pdf.

191 Communications Security Establishment. (2020, October 27). Authorities and Capabilities for CSE. https://cse-cst.gc.ca/ en/corporate-information/mandate; Maurer, T., Hohmann, M., Skierka, I., & Morgus, R. (2015). National CSIRTs and Their Role

See Something, Say Something: Coordinating the Disclosure of Security Vulnerabilities in Canada 50